Download:
pdf |
pdfFriday,
January 23, 2004
Part II
Department of
Health and Human
Services
Office of the Secretary
45 CFR Part 162
HIPAA Administrative Simplification:
Standard Unique Health Identifier for
Health Care Providers; Final Rule
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
PO 00000
Frm 00001
Fmt 4717
Sfmt 4717
E:\FR\FM\23JAR2.SGM
23JAR2
�3434
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Office of the Secretary
45 CFR Part 162
[CMS–0045–F]
RIN 0938–AH99
HIPAA Administrative Simplification:
Standard Unique Health Identifier for
Health Care Providers
AGENCY: Centers for Medicare &
Medicaid Services, HHS.
ACTION: Final rule.
SUMMARY: This final rule establishes the
standard for a unique health identifier
for health care providers for use in the
health care system and announces the
adoption of the National Provider
Identifier (NPI) as that standard. It also
establishes the implementation
specifications for obtaining and using
the standard unique health identifier for
health care providers. The
implementation specifications set the
requirements that must be met by
‘‘covered entities’’: Health plans, health
care clearinghouses, and those health
care providers who transmit any health
information in electronic form in
connection with a transaction for which
the Secretary has adopted a standard
(known as ‘‘covered health care
providers’’). Covered entities must use
the identifier in connection with
standard transactions.
The use of the NPI will improve the
Medicare and Medicaid programs, and
other Federal health programs and
private health programs, and the
effectiveness and efficiency of the
health care industry in general, by
simplifying the administration of the
health care system and enabling the
efficient electronic transmission of
certain health information. This final
rule implements some of the
requirements of the Administrative
Simplification subtitle F of the Health
Insurance Portability and
Accountability Act of 1996 (HIPAA).
EFFECTIVE DATE: May 23, 2005, except
for the amendment to § 162.610, which
is effective on January 23, 2004. Health
care providers may apply for NPIs
beginning on, but no earlier than, May
23, 2005.
FOR FURTHER INFORMATION CONTACT:
Patricia Peyton, (410) 786–1812.
SUPPLEMENTARY INFORMATION:
Copies: To order copies of the Federal
Register containing this document, send
your request to: New Orders,
Superintendent of Documents, P.O. Box
371954, Pittsburgh, PA 15250–7954.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Specify the date of the issue requested
and enclose a check or money order
payable to the Superintendent of
Documents, or enclose your Visa or
Master Card number and expiration
date. Credit card orders can also be
placed by calling the order desk at (202)
512–1800 or by faxing to (202) 512–
2250. The cost for each copy is $10. As
an alternative, you can view and
photocopy the Federal Register
document at most libraries designated
as Federal Depository Libraries and at
many other public and academic
libraries throughout the country that
receive the Federal Register. This
Federal Register document is also
available from the Federal Register
online database through GPO access, a
service of the U.S. Government Printing
Office. The Web site address is http://
www.access.gpo.gov/nara/index.html.
This document is also available from the
Department’s Web site at http://
aspe.hhs.gov/admnsimp/.
I. Background
In order to administer its programs, a
health plan assigns identification
numbers to its providers of health care
services and its suppliers. A health plan
may be, among other things, a Federal
program such as Medicare, a State
Medicaid program, or a private health
plan. The identifiers it assigns are
frequently not standardized within a
single health plan or across health
plans, which results in the single health
care provider having different
identification numbers for each health
plan, and often having multiple billing
numbers issued within the same health
plan. This complicates the health care
provider’s claims submission processes
and may result in the assignment of the
same identification number to different
health care providers by different health
plans.
A. NPI Initiative
In July 1993, the Centers for Medicare
& Medicaid Services (CMS) (formerly
the Health Care Financing
Administration (HCFA)), undertook a
project to develop a health care provider
identification system to meet the needs
of the Medicare and Medicaid programs
and, ultimately, the needs of a national
identification system for all health care
providers. Active participants in the
project represented both government
and the private sector. The project
participants decided to develop a new
identifier for health care providers
because existing identifiers did not meet
the criteria for national standards. The
new identifier, known as the National
Provider Identifier (NPI), did not have
the limitations of the existing
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
identifiers, and it met the criteria that
had been recommended by the
Workgroup for Electronic Data
Interchange (WEDI) and the American
National Standards Institute (ANSI).
B. The Results of the NPI Initiative
As a result of the project, and before
the Health Insurance Portability and
Accountability Act of 1996 (HIPAA),
Pub. L. 104–191, which was enacted on
August 21, 1996, required the adoption
and use of a standard unique identifier
for health care providers, CMS and the
other project participants accepted the
NPI as the standard unique health
identifier for health care providers. CMS
decided to implement the NPI for
Medicare, and began work on
developing the National Provider
System (NPS), which was intended to
capture health care provider data and be
equipped with the technology necessary
to maintain and manage the data. The
NPS was intended to be able to accept
health care provider data in order to
uniquely identify a health care provider
and assign it an NPI. The NPS was
intended to be designed so it could be
used by other Federal and State
agencies, and by private health plans, if
deemed appropriate, to enumerate their
health care providers that did not
participate in Medicare.
C. Legislation
The Congress included provisions to
address the need for a standard unique
health identifier for health care
providers and other health care system
needs in the Administrative
Simplification provisions of HIPAA.
Through subtitle F of title II of that law,
the Congress added to title XI of the
Social Security Act (the Act) a new part
C, entitled ‘‘Administrative
Simplification.’’ (Pub. L. 104–191 affects
several titles in the United States Code.)
The purpose of part C is to improve the
Medicare and Medicaid programs in
particular, and the efficiency and
effectiveness of the health care system
in general, by encouraging the
development of a health information
system through the establishment of
standards and implementation
specifications to facilitate the electronic
transmission of certain health
information.
Part C of title XI consists of sections
1171 through 1179 of the Act. These
sections define various terms and
impose requirements on the Secretary of
the Department of Health and Human
Services (HHS), health plans, health
care clearinghouses, and certain health
care providers concerning the adoption
of standards and implementation
specifications relating to health
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
information. Section 1173(b) of the Act
requires the Secretary to adopt
standards providing for a standard
unique health identifier for each
individual, employer, health plan, and
health care provider for use in the
health care system and to specify the
purposes for which the identifiers may
be used. It also requires the Secretary to
consider multiple locations and
specialty classifications for health care
providers in developing the standard
health identifier for health care
providers. We discussed other general
aspects of the HIPAA statute in greater
detail in the May 7, 1998, proposed rule
(63 FR 25320).
D. Plan for Implementing
Administrative Simplification
Standards
On May 7, 1998, we proposed a
standard unique health identifier for
health care providers and requirements
concerning its implementation (63 FR
25320). That proposed rule also set forth
requirements that health plans, health
care clearinghouses, and covered health
care providers would have to meet
concerning the use of the standard. On
May 7, 1998, we also proposed
standards for transactions and code sets
(63 FR 25272). We published the final
rule, entitled Health Insurance Reform:
Standards for Electronic Transactions
(the Transactions Rule), on August 17,
2000 (65 FR 50312). On May 31, 2002,
in two separate proposed rules, we
published proposed modifications to the
Standards for Electronic Transactions.
We published a final rule adopting
modifications to the Transactions Rule
on February 20, 2003 (68 FR 8381).
On November 3, 1999, we proposed
standards for privacy of individually
identifiable health information (64 FR
59918). We published the final rule,
entitled Standards for Privacy of
Individually Identifiable Health
Information (the Privacy Rule), on
December 28, 2000 (65 FR 82462). On
March 27, 2002, we proposed
modifications to the Privacy Rule. On
August 14, 2002, we published
modifications to the Privacy standards
in a final rule, entitled ‘‘Standards for
Privacy of Individually Identifiable
Health Information’’ (the Privacy Rule
Modifications) (67 FR 53182).
On June 16, 1998, we proposed the
standard unique employer identifier (63
FR 32784). On May 31, 2002, we
published the final rule, entitled
‘‘Standard Unique Employer Identifier’’
(67 FR 38009).
On August 12, 1998, we proposed
standards for security and electronic
signatures (63 FR 43242). On February
20, 2003, we published the final rule on
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
security standards (the Security Rule)
(68 FR 8334).
On April 17, 2003, we published an
interim final rule adopting procedures
for the investigation and imposition of
civil money penalties and the conduct
of hearings when the imposition of a
penalty is challenged (68 FR 18895).
The interim final rule is the first
installment of a larger rule, known as
the Enforcement Rule, the rest of which
is to be proposed at a later date.
We will be proposing standards for
the unique health plan identifier and
claims attachments.
In the May 7, 1998, proposed rule for
the standard unique health identifier for
health care providers, we proposed to
add a new part 142 to title 45 of the
Code of Federal Regulations (CFR) for
the administrative simplification
standards and requirements. We have
decided to codify the final rules in 45
CFR part 162 instead of part 142. The
Transactions Rule (65 FR 50312)
explains why we made this change and
lists the subparts and sections
comprising part 162. In this final rule,
we reference the proposed text using
part 142, and reference the final text
using part 162.
In the Transactions Rule, we
addressed (at 65 FR 50314) the
comments that were made on issues that
were common to the proposed rules on
standards for electronic transactions, the
standard employer identifier, the
standards for security and electronic
signatures, and the standard health care
provider identifier. Those issues relate
to applicability, definitions, general
effective dates, new and revised
standards, and the aggregate impact
analysis. In that final rule, we set out
the general requirements in part 160
subpart A and part 162 subpart A. We
refer the reader to that rule for more
information on all but our discussion of
issues pertinent to the standard unique
health identifier for health care
providers and the definition of health
care provider.
E. Employer Identifier Standard: Waiver
of Proposed Rulemaking and Effective
Date for Uses of Employer Identifier
As stated in section I.D., ‘‘Plan for
Implementing Administrative
Simplification Standards,’’ of this
preamble, we published the final rule
that adopted the standard unique
employer identifier on May 31, 2002 (67
FR 38009). The Employer Identifier was
adopted as that standard effective July
30, 2002. We amend § 162.610 as
explained below.
We ordinarily publish a correcting
amendment of proposed rulemaking in
the Federal Register and invite public
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
3435
comment on the correcting amendment
before its provisions can take effect. We
also ordinarily provide a delay of 30
days in the effective date of the final
rule. We can waive notice and comment
procedure and the 30-day delay in the
effective date, however, if we find good
cause that a notice and comment
procedure is impracticable,
unnecessary, or contrary to the public
interest and we incorporate a statement
in the correcting amendment of this
finding and the reasons supporting that
finding.
We find that seeking public comment
on and delaying the effective date of this
correcting amendment would be
contrary to the public interest. Section
1173(b)(2) of the Act requires that the
standards regarding unique health care
identifiers specify the purposes for
which they may be used. Section
162.610 requires a covered entity to use
the standard unique employer
identifier—the employer identification
number (EIN) assigned by the Internal
Revenue Services (IRS), U.S.
Department of the Treasury—in
standard transactions that require an
employer identifier. Unless § 162.610 is
amended to permit use of the standard
unique employer identifier for all other
lawful purposes, the Act could be read
to subject covered entities that use their
EIN for other purposes to civil money
penalties under section 1176 of the Act
and criminal penalties under section
1177 of the Act, a result that we did not
intend. The IRS requires any taxpayer
assigned an EIN to use the EIN as its
taxpayer identifying number. Statutes
and regulations also authorize or require
other Federal agencies, including the
Departments of Agriculture, Commerce,
Education, Housing and Urban
Development, and Labor, to collect EINs
in connection with administering
various Federal programs and laws.
Since some of these agencies may
conduct transactions with covered
entities or may be covered entities in
their own right, failure to promptly
publish the correcting amendment
could cause conflict between § 162.610
and other statutory and regulatory
directives, generating uncertainty for
covered entities and potentially
disrupting the administration of other
Federal programs and laws. We believe
that it is necessary to eliminate that
uncertainty and potential disruption
and to do so as soon as practicable by
amending § 162.610 to include as
permitted uses of the EIN all other
lawful purposes. Therefore, we find
good cause to waive the notice and
comment procedure and the 30-day
E:\FR\FM\23JAR2.SGM
23JAR2
�3436
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
delay in the effective date as being
contrary to the public interest.
II. Provisions of the Regulations and
Discussion of Public Comments
Within each section of this final rule,
we set forth the proposed provision
contained in the May 7, 1998, proposed
rule, summarize and respond (if
appropriate) to the comments we
received on the proposed provision, and
present the final provision.
It should be noted that the proposed
rule contained multiple proposed
‘‘requirements.’’ In this final rule, we
replace the term ‘‘requirement’’ with the
term ‘‘implementation specification,’’
where appropriate. We do this to
maintain consistency with the use of
those terms as they appear in the statute
and the other published HIPAA rules.
Within the comment and response
portion of this final rule, for purposes of
continuity, however, we use the term
‘‘requirement’’ when we are referring
specifically to matters from the
proposed rule. In all other instances, we
use the term ‘‘implementation
specification.’’
In the May 7, 1998, proposed rule, we
proposed a standard unique health
identifier for health care providers. We
listed the kinds of identifying
information that would be collected
about each health care provider in order
to assign the identifier.
In addition to the requirement that
health care providers use the standard,
the May 7, 1998, proposed rule also
proposed other requirements for health
care providers:
• Each health care provider must
obtain, by application if necessary, an
NPI.
• Each health care provider must
accept and transmit NPIs whenever
required on all standard transactions it
accepts or transmits electronically.
• Each health care provider must
communicate to the National Provider
System (NPS) any changes to the data
elements in its record in the NPS within
60 days of the change.
• Each health care provider may
receive and use only one NPI. An NPI
is inactivated upon death or dissolution
of the health care provider.
A. General Provisions
1. Applicability
The May 7, 1998, proposed rule for
the standard unique health identifier for
health care providers discussed the
applicability of HIPAA to covered
entities. The proposed rule provided
that section 262 (Administrative
Simplification) of HIPAA applies to
health plans, health care clearinghouses,
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
and health care providers when health
care providers electronically transmit
any of the transactions to which section
1173(a)(1) of the Act refers. Comments
received with respect to Applicability
are discussed in sections II. A. 2.,
‘‘Definition of Health Care Provider,’’
and II. A. 5., ‘‘Implementation
Specifications for Health Care Providers,
Health Plans, and Health Care
Clearinghouses’’ of this preamble.
2. Definition of Health Care Provider
In the Transactions Rule, we
summarized the comments we received
on the definitions we proposed in the
May 7, 1998, NPI proposed rule (at 63
FR 25324), with the exception of the
definition of ‘‘health care provider.’’ We
codified all of the definitions in 45 CFR
160.103 and 45 CFR 162.103.
Specifically, we codified the definition
of ‘‘health care provider’’ at 45 CFR
160.103. We are responding in this
preamble to the comments we received
on the definition of ‘‘health care
provider,’’ as we believe that these
comments present issues that are more
relevant to the standard unique health
identifier for health care providers. As
appropriate, our responses refer to
discussions and decisions that were
published in the Privacy Rule (65 FR
82462). This final rule does not change
the definition of ‘‘health care provider’’
at § 160.103. This final rule adds the
definition of ‘‘covered health care
provider’’ at § 162.402.
Proposed Provisions (§ 142.103)
In the May 7, 1998, proposed rule, we
proposed to define ‘‘health care
provider’’ as a provider of services as
defined in section 1861(u) of the Act, a
provider of medical or other health
services as defined in section 1861(s) of
the Act, and any other person who
furnishes or bills and is paid for health
care in the normal course of business
(63 FR 25325). We based the proposed
definition on section 1171(3) of the Act
for the reasons we stated in the May 7,
1998, proposed rule.
Comments and Responses on the
Definition of ‘‘Health Care Provider’’
Comment: We received many
comments concerning the kinds of
entities that should receive NPIs. Some
of these comments recommended that
the definition of a ‘‘health care
provider’’ be constructed narrowly to
restrict the kinds of entities that would
be eligible to receive NPIs; others
recommended that the definition be
constructed broadly. Comments did not
reflect a consensus or majority view
across all commenters or even within
the two groups of commenters who
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
recommended a narrow or a broad
definition of ‘‘health care provider.’’
Commenters favoring a narrow
definition of ‘‘health care provider’’
gave the following examples of entities
to which NPIs should or should not be
issued:
• Only to those licensed to furnish
health care.
• Only to individuals and entities
that furnish health care.
• Only to billing health care
providers.
• Only to licensed health care
providers that furnish care, bill, and are
paid by third party payers for services.
• Not to physicians who have opted
out of government medical programs.
• Not to groups, partnerships, or
corporations.
• Not to entities that bill or are paid
for health care services furnished by
other health care providers. A billing or
pay-to entity should be identified by its
taxpayer identifying number, not by an
NPI.
• Not to clearinghouses,
administrative services only vendors,
billing services, or health care provider
service locations.
Commenters favoring a broad
definition of ‘‘health care provider’’
gave the following examples of entities
to which NPIs should be issued:
• Any health care provider that has a
taxpayer identifying number.
• Any individual or organization,
including Independent Practice
Associations and clearinghouses, that
ever has custody of or transmits a health
care claim or encounter record.
• All health care provider groups.
• Each billing health care provider,
health care provider billing location,
pay-to provider, performing health care
provider, health care provider service
location, and health care provider
specialty.
• Each incorporated individual and
‘‘doing business as’’ name of an
organization.
• The lowest organizational level of
an entity that needs to be identified.
Response: Although there was no
consensus from commenters as to which
entities should receive NPIs, several
principles can be inferred.
Many commenters who favored a
narrow definition of ‘‘health care
provider’’ want to simplify the current
situation for health care providers; that
is, a health care provider may have
many health care provider numbers
assigned by health plans for different
business functions. The health care
provider numbers sometimes represent
the actual health care provider that
furnishes health care, but may also
represent the health care provider’s
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
service locations, corporate
headquarters, specialties, pay-to
arrangements, or contracts. Those who
favored a narrow definition generally
believed the NPI should represent only
the health care provider that furnishes
health care.
Commenters who favored a broad
definition of ‘‘health care provider’’
recognized the many business functions
and uses in health care transactions
fulfilled by health care provider
numbers today. These business
functions will continue to need to be
performed after the implementation of
the NPI. In order for the NPI to replace
the multiple, proprietary health care
provider numbers assigned by health
plans today, the NPI must be assigned
so that the business functions can
continue. Those who favored a broad
definition believed that if the NPI is not
able to identify the health care provider
entities that must be identified in an
electronic health care claim or
equivalent encounter information
transaction, health plans will be forced
to continue to use their existing
proprietary health care provider
numbers and the NPI will add to, rather
than replace or simplify, health care
provider numbering systems currently
in use.
The varying needs for health care
provider numbers guided our decisions
on which entities would be eligible to
receive NPIs. Our general rule is that all
health care providers, as we define that
term in the regulations, will be eligible
to receive NPIs. We discuss this in
detail later in this section.
It is important to note that not all
health care providers who are eligible to
receive NPIs will necessarily be
required to comply with the HIPAA
regulations. This is because some health
care providers are not covered entities
under HIPAA. The fact that a health
care provider obtains an NPI does not
impose covered entity status on that
health care provider. Only those entities
that (1) meet the definition of health
care provider at § 160.103, and (2)
transmit health information in
electronic form on their own behalf, or
that use a business associate to transmit
health information in electronic form on
their behalf, in connection with a
transaction for which the Secretary has
adopted a standard (a covered
transaction) are health care providers
who are required to comply with the
HIPAA regulations. These health care
providers are covered health care
providers and are considered ‘‘covered
entities’’ under HIPAA. As noted above,
we add a definition of ‘‘covered health
care provider’’ at § 162.402.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
The following discussion clarifies the
eligibility of health care providers to be
assigned NPIs and distinguishes
between those that are covered entities
under HIPAA and those that are not.
‘‘Health care provider’’ is defined in
the regulations at § 160.103 as follows
‘‘Health care provider means a provider
of services as defined in section 1861(u)
of the Act, 42 U.S.C. 1395X(u), a
provider of medical or health services as
defined in section 1861(s) of the Act, 42
U.S.C. 1395x(s), and any other person or
organization who furnishes, bills, or is
paid for health care in the normal
course of business.’’ Examples of health
care providers included in this
definition are: Physicians and other
practitioners; hospitals and other
institutional providers; suppliers of
durable medical equipment, supplies
related to health care, prosthetics, and
orthotics; pharmacies (including on-line
pharmacies) and pharmacists; and group
practices. Additional examples are
health maintenance organizations that
may be considered health care providers
as well as health plans if they also
provide health care.
There are individuals and
organizations that furnish atypical or
nontraditional services that are
indirectly health care-related, such as
taxi, home and vehicle modifications,
insect control, habilitation, and respite
services. These types of services are
discussed in the Transactions Rule at 65
FR 50315. As stated in that Rule, many
of these services do not qualify as health
care services because the services do not
fall within our definition of ‘‘health
care.’’ An individual or organization
must determine if it provides any
services that fall within our definition of
‘‘health care’’ at § 160.103. If it does
provide those services, it is considered
a health care provider and would be
eligible for an NPI. If it does not, and
does not provide other services or
supplies that bring it within the
definition of ‘‘health care provider,’’ it
would not be a health care provider
under HIPAA, and would not be eligible
to receive an NPI.
The nonhealth care services of some
atypical or nontraditional service
providers are reimbursed by some
health plans. Nevertheless, there is no
requirement under HIPAA to use the
standard transactions when submitting
electronic claims for these types of
services, because claims for these
services are not claims for health care.
(Health plans, however, are free to
establish their own requirements for
submitting claims in these
circumstances, which means that a
health plan could require atypical and
nontraditional service providers to
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
3437
submit standard transactions. The
health plans could not require these
entities to obtain NPIs to use in those
transactions, however, because those
entities are not eligible to receive NPIs.)
There are other individuals and
organizations that, in the normal course
of business, bill or receive payment for
health care that is furnished by health
care providers. These individuals and
organizations may include billing
services, value-added networks, and
repricers. While these entities bill for
health care, we do not read the statutory
definition of ‘‘health care provider’’ as
encompassing them. Rather, they would
usually be acting as agents of health care
providers in performing the billing
function, or as health care
clearinghouses assuming that they
perform the data translation function
described in the definition of ‘‘health
care clearinghouse’’ at § 160.103. The
definition of ‘‘health care
clearinghouse’’ specifically lists these
entities as examples of health care
clearinghouses. The health care industry
does not consider these types of entities
to be health care providers. Further, we
do not believe that the Congress
intended for them to be considered as
such, as the statutory definition of
‘‘health care provider’’ refers only to
‘‘other person furnishing health care
services or supplies’’ and thus would
exclude persons who only bill for, but
do not furnish, health care services or
supplies. Thus, this final rule does not
include billing services and similar
entities as health care providers.
Therefore, because these kinds of
entities are not health care providers,
they will not be eligible for NPIs.
Comment: The Workgroup for
Electronic Data Interchange (WEDI)
commented that the NPI should be the
only identifier for health care providers
when the HIPAA transactions require
provider identification. WEDI suggested
that, to the extent provider-payer
contracts require locations, location
codes, and contract references, these
should be handled outside of the NPS.
To the extent numbers associated with
providers (for example, Taxpayer
Identifying Number (TIN) and Drug
Enforcement Administration (DEA)
number) are required for specific
purposes other than provider
identification, the HIPAA transactions
should accommodate those numbers
(and qualifiers) in the appropriate
segments of the transactions.
WEDI recommended that:
• Health care providers who are
individual human beings obtain one and
only one NPI for life;
• Health care providers endeavor to
have only one NPI per organization, but
E:\FR\FM\23JAR2.SGM
23JAR2
�3438
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
that the final decision on how many
NPIs are necessary for an organization
health care provider be left to the health
care provider; and
• At a minimum, and as the most
critical criterion, the NPS data
associated with any additional NPIs that
an organization decides to obtain must
not be identical to those associated with
any other NPI in use by the
organization.
Some commenters supported our
proposal that, if a separate physical
location of an organization health care
provider, member of a chain, or subpart
of an organization health care provider
needs to be separately identified, it
would be eligible to get a separate NPI.
A few commenters stated that different
physical locations or subparts of an
organization health care provider
should not get separate NPIs. One
commenter recommended that the NPS
issue separate NPIs for separate physical
locations, members of a chain, or
subparts of an organization health care
provider only if these are separately
licensed or certified. The commenter
believes that the issuance of separate
licenses and certifications justifies their
recognition as separate health care
providers. Another commenter
recommended that the NPS issue
separate NPIs for these entities if
Medicare considers the entities to be
separate health care providers. A
number of large health plans consider
each physical location of a supplier of
health care-related supplies to be a
separate health care provider in order to
uniquely identify it on claims to enable
accurate pricing and reimbursement.
Response: We agree in concept with
the recommendations made by WEDI.
At the time we published the
proposed rule and received public
comments on it, the Secretary had not
yet adopted standards for any of the
HIPAA Administrative Simplification
provisions. Since that time, and as
noted in section I. D., ‘‘Plan for
Implementing Administrative
Simplification Standards’’ of this
preamble, the Secretary has adopted a
number of Administrative
Simplification standards, including the
Privacy and Security standards. The
following discussion describes the
assignment of NPIs to certain
organization health care providers and
the relationship, if any, of the
assignment methodology to the
standards and implementation
specifications adopted in the Privacy
and Security Rules.
Many health care providers that are
organizations (such as hospitals and
chains of suppliers of health carerelated supplies, pharmacies, and
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
others) are made up of components or
separate physical locations. Many of
these components or separate physical
locations are separately certified or
licensed by States as health care
providers.
• Examples of hospital components
include outpatient departments, surgical
centers, psychiatric units, and
laboratories. These components are
often separately licensed or certified by
States and may exist at physical
locations other than that of the hospital
of which they are a component. Many
health plans consider these components
to be health care providers in their own
right. Many of these components bill
independently of the hospital of which
they are a component.
• Organization health care providers
that are chains generally have a
corporate headquarters and a number of
separate physical locations. A durable
medical equipment supplier chain, for
example, has a corporate headquarters
and separate physical locations at which
durable medical equipment is dispensed
to patients. The separate physical
locations are generally separately
licensed or certified by States. They
often operate independently of each
other and usually do their own billing.
Many health plans consider each
separate physical location to be a health
care provider itself; and many of these
health plans, including Medicare,
reimburse for these items based on the
geographic location where the items are
dispensed to patients and not on the
geographic location of the corporate
headquarters.
An entity that meets certain Federal
statutory implementation specifications
and regulations is eligible to participate
in the Medicare program. Our definition
of ‘‘health care provider’’ at § 160.103
includes those eligible to participate in
Medicare as described in Federal statute
(that is, in § 1861(s) and § 1861(u) of the
Social Security Act). These entities,
according to Federal statute and
regulations, must be issued their own
identification numbers in order to bill
and receive payments from Medicare.
The Federal statutes and regulations
similarly affect the Medicaid program.
Health care providers that are covered
entities (see the definition at § 160.103)
are required to comply with this final
rule. Thus, while all health care
providers (as defined in § 160.103) are
eligible to be assigned NPIs and may,
therefore, obtain NPIs, health care
providers that are covered entities must
obtain NPIs. As mentioned earlier in
this section, a health care provider that
is not a covered entity and which has
been assigned an NPI does not become
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
a covered entity as a result of NPI
assignment.
We refer to the components and
separate physical locations described in
the bulleted examples above as
‘‘subparts’’ of organization health care
providers.
We use the term ‘‘subpart’’ to avoid
confusion with the term ‘‘health care
component’’ in the Privacy and Security
Rules. We discuss terms and concepts in
the Privacy and Security Rules later in
this section.
Section 1173(b)(1) of the Act provides
that the Secretary ‘‘shall take into
account multiple uses for identifiers and
multiple locations and specialty
classifications for health care
providers.’’ This language indicates that
Congress realized that certain health
care providers operate at multiple
locations and/or provide multiple types
of health care services, and intended
that the identifier standard take these
variations in circumstance into account.
We accommodate this language by
requiring covered health care providers
to obtain NPIs for subparts of their
organizations that would otherwise
meet the tests for being a covered health
care provider themselves if they were
separate legal entities, and permitting
health care providers to obtain NPIs for
subparts that do not meet these tests but
otherwise qualify for assignment of an
NPI. For example, a subpart may qualify
for assignment of an NPI based on such
factors as the subpart having a location
and licensure separate from the
organization health care provider of
which it is a subpart. Licensure is often
indicative of specialty (Healthcare
Provider Taxonomy) classification.
Thus, the assignment scheme created by
this final rule provides flexibility in
addressing the varied circumstances of
health care providers, as Congress
intended.
A ‘‘subpart’’ described in this final
rule may differ from a ‘‘health care
component’’ described in the Privacy
and Security Rules. Therefore, it is
appropriate to discuss these concepts
and their relationship, if any, to the
assignment of NPIs as established by
this final rule.
Standards and implementation
specifications for the Privacy and
Security standards fall under part 164—
Security and Privacy, of 45 CFR,
whereas the implementation
specifications for the standard unique
health identifier for health care
providers (and for the other identifiers
mandated by HIPAA) are within part
162—Administrative Implementation
Specifications, of 45 CFR. The broad
concepts of ownership, control, and
structure of covered entities are relevant
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
to determining the scope of, and
defining responsibility for,
implementing the Privacy and Security
standards; therefore, we addressed those
concepts in those rules. On the other
hand, the concepts of ownership,
control, and structure are of no
significant value or importance in
determining the health care providers
that may be eligible to obtain NPIs,
which is why those concepts are not
discussed in this final rule.
The term ‘‘hybrid entity’’ is defined in
part 164, which is applicable to the
Privacy and Security Rules, and may be
a factor in determining responsibility for
the implementation of the Privacy and
Security standards and implementation
specifications. It is defined in § 164.103
and is discussed in the Privacy Rule at
65 FR 82502. It is possible that an
organization health care provider may
be a hybrid entity and, as such, may
designate health care components for
purposes of implementing the Privacy
and Security Rules. It is possible and,
indeed, likely that subparts as described
earlier in this preamble may be health
care components of a hybrid entity. It is
also possible that the subparts may not
align precisely with the designated
health care components. There is no
necessary correlation between what is a
subpart and what is a health care
component, and there need not be
because, as stated above, the nature and
function of the Privacy and Security
standards differ from those of the health
care provider identifier standard. The
level of assignment of NPIs must be
adequate to enumerate entities that meet
the definition of ‘‘health care provider’’
at § 160.103. It is, therefore, possible
that a designated health care component
may in essence be assigned multiple
NPIs if the health care component is
made up of multiple health care
providers or subparts, as described
earlier.
The term ‘‘organized health care
arrangement’’ is discussed in the
Security and Privacy Rules and is
defined at § 160.103. It is possible that
subparts that are also health care
components may elect to come together
to form an organized health care
arrangement. Whether or not subparts
participate in an organized health care
arrangement for purposes of
implementing the Privacy or Security
standards has no effect on their
eligibility to be assigned NPIs.
It must be kept in mind, with respect
to the subparts as described in this
preamble, that the organization health
care provider is a legal entity and is the
covered entity under HIPAA if it (or a
subpart or component) transmits health
information in electronic form (or uses
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
a business associate to do so) in
connection with a covered transaction.
The subparts are simply parts of the
legal entity. The legal entity—the
covered entity—is ultimately
responsible for complying with the
HIPAA rules and for ensuring that its
subparts and/or health care components
are in compliance. The organization
health care provider, of which the
subpart is a part, is responsible for
ensuring that the subpart complies with
the implementation specifications in
this final rule. The organization health
care provider is responsible for
determining if its subpart or subparts
must be assigned NPIs, as discussed
above in this section of the preamble.
The organization health care provider is
also responsible for applying for NPIs
for its subparts or for instructing its
subparts to apply for NPIs themselves.
(That is, it is not necessary that an
application for an NPI be made by the
organization health care provider on
behalf of its subpart.)
Comment: Some commenters
expressed concern that the professional
claim or equivalent encounter
information transaction be able to
accommodate address or location
information associated with billing, payto, and furnishing health care providers.
Response: The ASC X12N 837 Health
Care Claim: Professional, adopted in the
Transactions Rule, accommodates
addresses for all these entities.
Comment: Some commenters stated
their desire for an identifier to represent
each service address, for the purpose of
reporting the location of service on a
professional health care claim.
Response: We believe that the
location of service can properly be
reported by use of data elements in the
standard professional health care claim
or equivalent encounter information
transaction. The address where service
was furnished (if different from the
billing or pay-to provider’s address and
if not at the patient’s home) is
accommodated in the X12N 837
Professional Claim in the Service
Facility Location loop. For these
reasons, we do not believe a health care
provider identifier needs to be assigned
to every address at which a service can
be provided. If health plans need service
location data in addition to the data that
are accommodated in the standard
health care claim transaction, they
should notify the organization
responsible for that transaction (see
§ 162.910 and § 162.1102).
Comment: Several commenters named
specific kinds of practitioners or entities
that should be eligible to receive NPIs.
These commenters cited practitioners
who write prescriptions, home health
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
3439
housekeepers, long-term care providers,
providers of home health services,
meals on wheels, and transportation.
Response: Entities that do not furnish
health care, and do not meet the
definition of health care provider, will
not be eligible to receive NPIs. A title
does not necessarily indicate that an
entity does or does not furnish health
care. Entities who are unsure as to
whether they are health care providers
should check the definition of ‘‘health
care’’ in § 160.103 to determine whether
the kinds of services they furnish are
health care services.
Comment: Some commenters stated
that billing services should not receive
NPIs. None of these commenters gave a
definition or criteria to distinguish
billing services from entities that would
be eligible to be assigned NPIs. Other
commenters stated that these definitions
and criteria would be difficult to apply.
Response: As stated earlier in this
section, billing services do not meet our
regulatory definition of health care
provider and, therefore, will not be
eligible for NPIs. Generally, the health
care provider that furnished health care
is the ‘‘Billing provider’’ on the X12N
837 transaction and would identify
itself with an NPI. If a billing service
needs to be identified as the ‘‘Billing
provider,’’ it would identify itself with
either an Employer Identification
Number (EIN) or a Social Security
Number (SSN).
Comment: Several commenters noted
that the term ‘‘medical care’’ in our
descriptions of individual and
organization health care providers
should be replaced with the term
‘‘health care.’’ They were concerned that
one could construe ‘‘medical care’’ to
mean only care that was physiciansupplied or physician-authorized.
Response: We agree with the
comment and have replaced the term
‘‘medical care’’ with ‘‘health care’’ in
our discussion of individual and
organization health care providers.
Comment: A majority of commenters
stated that the NPS should not
distinguish between organization health
care providers and group health care
providers. The NPS should collect the
same data for both. A few other
commenters suggested a definition for
group, but did not suggest that different
data should be collected for a group
health care provider than for an
organization health care provider.
Response: As described in the
proposed rule (at 63 FR 25325), group
health care providers are entities
composed of one or more individuals
(members), generally created to provide
coverage of patients’ needs in terms of
office hours, professional backup and
E:\FR\FM\23JAR2.SGM
23JAR2
�3440
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
support, or range of services resulting in
specific billing or payment
arrangements. Organization health care
providers are health care providers who
are not individual health care providers
(that is, health care providers who are
human beings). Examples of
organization health care providers are
hospitals, pharmacies, and nursing
homes. For purposes of this rule, we
consider group health care providers to
be organization health care providers.
There is additional information about
these health care providers in section
II.C.1.(d) of this preamble.
We agree with the majority of
commenters that the NPS should collect
the same data for group and
organization health care providers.
Because the same data are collected,
there is no need for separate definitions
of group and organization health care
providers for NPI enumeration
purposes.
Comment: Several commenters
suggested that an NPI suffix or subidentifier (sub-ID) be used to identify
physical locations or subparts of a
health care provider. Two commenters
suggested that we explore the need for
an electronic data interchange (EDI)
identifier for transaction routing.
Response: We considered allowing
each health care provider, if it so chose,
to establish sub-IDs under its NPI. The
health care provider might use the subIDs for different physical locations,
subparts, EDI transaction routing, or
other purposes. We decided not to
establish sub-IDs because our decisions
regarding which entities would be
eligible to receive NPIs (including
separate physical locations and subparts
of certain kinds of organization health
care providers) obviate the need for
them. Sub-IDs may be useful as a later
implementation feature that would
support EDI routing or other purposes.
We will consider an expansion at a later
time to include them, if we determine
that they would be beneficial.
Comment: Many commenters stated
that all health care providers should be
able to obtain NPIs, whether they
conduct health care transactions
electronically or on paper. Some
commenters stated that health care
providers that do not conduct any of the
transactions named in HIPAA should be
able to obtain NPIs.
Response: All health care providers—
as we define that term—may obtain
NPIs. Only covered health care
providers are required to obtain and use
NPIs in standard transactions.
Comment: Many commenters stated
that NPIs should be mandatory for paper
and fax transactions, as well as
electronic.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Response: In the May 7, 1998,
proposed rule, we did not propose to
apply this standard to paper
transactions. Therefore, we focus on
standards for electronic transactions.
Most of the paper forms currently in use
today cannot accommodate all of the
data content included in the standard
transactions. This does not prevent
health plans from requiring for paper
transactions the same data, including
identifiers, as are required by the
HIPAA regulations for electronic
transactions.
Final Provisions (§ 160.103)
As defined by section 1171(3) of the
Act, a ‘‘health care provider’’ is a
provider of services as defined in
section 1861(u) of the Act, a provider of
medical or other health services as
defined in section 1861(s) of the Act,
and any other person who furnishes
health care services or supplies. Section
160.103 defines ‘‘health care provider’’
as the statute does and clarifies that the
definition of a ‘‘health care provider’’
includes any other person or
organization that furnishes, bills, or is
paid for health care in the normal
course of business.
Section 1173(b)(1) of the Act requires
the Secretary to adopt standards
providing for a standard unique health
identifier for each health care provider,
and to take into account multiple uses,
locations, and specialty classifications
for health care providers. All health care
providers who meet our definition of
‘‘health care provider’’ at § 160.103,
regardless of whether they conduct
transactions electronically or on paper
or conduct any covered transactions
will be eligible to apply for health care
provider identifiers.
We define ‘‘covered health care
provider’’ at § 162.402. Subparts of
organization health care providers, as
described earlier in this section, may be
assigned NPIs.
Registered nurses, dental hygienists,
and technicians are examples of entities
who furnish health care but who do not
necessarily conduct covered
transactions. They are eligible to receive
NPIs because they are health care
providers.
We define two categories of health
care providers for enumeration
purposes. A data element, the ‘‘Entity
type code,’’ in the NPS record for each
health care provider will indicate the
appropriate category.
• NPIs with an ‘‘Entity type code’’ of
1 will be issued to health care providers
who are individual human beings.
Examples of health care providers with
an ‘‘Entity type code’’ of 1 are
physicians, dentists, nurses,
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
chiropractors, pharmacists, and physical
therapists.
• NPIs with an ‘‘Entity type code’’ of
2 will be issued to health care providers
other than individual human beings,
that is, organizations. Examples of
health care provider organizations with
an ‘‘Entity type code’’ of 2 are: hospitals;
home health agencies; clinics; nursing
homes; residential treatment centers;
laboratories; ambulance companies;
group practices; health maintenance
organizations; suppliers of durable
medical equipment, supplies related to
health care, prosthetics, and orthotics;
and pharmacies.
Entities that participate in the
Medicare program and many that
participate in the Medicaid program are
eligible for NPIs. (Note, however, our
discussion of atypical and
nontraditional service providers earlier
in this section.) Many subparts of
organization health care providers (as
discussed earlier in this section) are
eligible to be assigned NPIs, and an NPI
must be obtained for, or by, them if they
would be considered a covered health
care provider if they were a separate
legal entity. By definition, subparts are
not themselves legal entities; the legal
entity is the organization health care
provider of which they are a subpart.
Organization health care provider
subparts—because they too are
organizations—will be issued NPIs with
‘‘Entity type code’’ of 2.
We do not consider individuals who
are health care providers (that is, they
meet our definition of ‘‘health care
provider’’ at § 160.103) and who are
members or employees of an
organization health care provider to be
‘‘subparts’’ of those organization health
care providers, as described earlier in
this section. Individuals who are health
care providers are legal entities in their
own right. The eligibility for an ‘‘Entity
type code 1’’ NPI of an individual who
is a health care provider and a member
or an employee of an organization
health care provider is not dependent
on a decision by the organization health
care provider as to whether or not an
NPI should be obtained for, or by, that
individual. The eligibility for an ‘‘Entity
type code 1’’ NPI of a health care
provider who is an individual is
separate and apart from that
individual’s membership or
employment by an organization health
care provider. If such an individual is a
covered health care provider, he or she
is required to obtain an NPI. An
example of the above discussion is a
physician who is a member of a group
practice. Both are health care providers
and, therefore, both may apply for NPIs,
but the physician would receive an
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
‘‘Entity type code 1’’ NPI, while the
group practice would receive an ‘‘Entity
type code 2’’ NPI. If either is a covered
health care provider, that covered health
care provider must apply for an NPI.
‘‘Entity type code’’ determinations
will be made according to the following:
• An individual human being
furnishes health care. The described
individual is a health care provider and
will be assigned an NPI with an ‘‘Entity
type code’’ of 1.
• An organization furnishes health
care. The described organization is a
health care provider and will be
assigned an NPI with an ‘‘Entity type
code’’ of 2.
• An organization health care provider
subpart, as described earlier in this
section, is a health care provider and
will be assigned an NPI with an ‘‘Entity
type code’’ of 2.
Hereafter in this preamble, we include
these subparts in our references to
health care providers unless there is a
reason to distinguish them.
An NPI will be used to identify the
health care provider on a health care
claim or equivalent encounter
information transaction. If an
organization health care provider
consists of subparts that are identified
with their own unique NPIs, a health
plan may decide to enroll none, one, or
a limited number of them (and to use
only the NPI(s) of the one(s) it enrolls).
A health plan may not require a health
care provider or a subpart of an
organization health care provider that
has an NPI to obtain another NPI for any
purpose. Links among the various NPI
types may be made and maintained by
health plans and other users of the NPS
data, but will not be maintained in the
NPS.
The data to be collected by the NPS
for health care providers are described
in section II. C. 2. of this preamble,
‘‘Data Elements and Data
Dissemination.’’ The NPS will capture
data elements for health care providers
with an ‘‘Entity type code’’ of 1
(individuals) that are different from
those that it will capture for those with
an ‘‘Entity type code’’ of 2
(organizations) because the data
available to search for duplicates (for
example, date and place of birth) are
different. The NPS will ensure the
uniqueness of the NPI by assigning only
one NPI to a health care provider with
a distinct string of data in the NPS. The
NPS will contain the kinds of data
necessary to adequately categorize each
entity to which it assigns an NPI. An
NPI will be a lasting identifier for the
health care provider to which it has
been assigned. For health care providers
with an ‘‘Entity type code’’ of 1, the NPI
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
will be a permanent identifier, assigned
for life, unless circumstances justify
deactivation, such as a health care
provider who finds that his or her NPI
has been used fraudulently by another
entity. In that situation, the health
provider can apply, and will be eligible,
for a new NPI, and the previously
assigned NPI will be deactivated. For
health care providers with an ‘‘Entity
type code’’ of 2, the NPI will also be
considered permanent, except in certain
situations such as when a health care
provider does not wish to continue an
association with a previously used NPI,
or when a health care provider’s NPI has
been used fraudulently by another. In
those situations, the health care
provider that holds the NPI can apply,
and be eligible for, a new NPI, and the
previously assigned NPI will be
deactivated. A new NPI will not be
required for change of ownership,
change from partnership to corporation,
or change in the State where an
organization health care provider is
incorporated; indeed, ownership and
incorporation information will not be
contained in the NPS. A new NPI will
not be required when there is a change
in an organization health care provider’s
name, Employer Identification Number,
address, Healthcare Provider Taxonomy
classification, State of licensure, or State
license number. Instead, the health care
provider will supply that information to
the NPS and the data in the NPS about
these entities will be updated. After a
corporate merger, the surviving
organization may continue to use its
NPI. A health care provider’s NPI will
not be deactivated if that health care
provider is sanctioned or barred from
one or more health plans. When an
organization health care provider is
disbanded, the organization health care
provider’s NPI will be deactivated. If a
previously deactivated organization
health care provider is later reactivated,
its previous NPI will be reactivated.
3. NPI Standard
Proposed Provisions (§ 142.402(a))
The May 7, 1998, proposed rule (at 63
FR 25328) described our proposal for
the standard health care provider
identifier. We proposed the NPI
standard as an 8-position alphanumeric
identifier. It would include as the 8th
position a numeric check digit to assist
in identifying erroneous or invalid NPIs.
The check digit would be a recognized
International Standards Organization
(ISO) standard. The check digit
algorithm would be computed from an
all-numeric base number. Therefore, any
alpha characters that may be part of the
NPI would be translated to a specific
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
3441
numeric before the calculation of the
check digit. The NPI format would
allow for the creation of approximately
20 billion unique identifiers. It would
be an intelligence-free identifier. In the
May 7, 1998 proposed rule, we also
proposed the type of data included in
the file containing identifying
information for each health care
provider.
In addition to the description of the
NPI standard, this section of the May 7,
1998, proposed rule discussed several
other points on which we received
comments:
We noted that we proposed the 8position alphanumeric format rather
than a longer numeric-only format in
order to keep the identifier as short as
possible while providing for an
identifier pool that would serve the
industry’s needs for a long time.
We listed selection criteria for the
standard and discussed candidate
identifiers, including the National
Association of Boards of Pharmacy
number, the Social Security Number,
and the Employer Identification
Number.
We noted that the USA Registration
Committee approved the NPI as an
International Standards Organization
card issuer identifier in August 1996 for
use on standard health identification
cards.
Comments and Responses on the NPI
Standard
Comment: Several commenters on the
format of the NPI expressed general
support for our proposal or specific
support for an 8-position alphanumeric
identifier. Very few of these commenters
gave a reason for support of the 8position alphanumeric format. A strong
majority of commenters recommended
instead that the NPI be a 10-position
numeric identifier, because a 10position identifier would yield an
adequate pool of identifiers and would
not exceed the length permitted for
identifiers in the standard transactions
proposed under HIPAA. A few other
commenters recommended a 9-position
numeric identifier. Several commenters
who favored a numeric identifier stated
that if additional capacity for NPIs were
needed in the future, additional
numeric digits should be added at that
time. Commenters who preferred a
numeric identifier were very specific in
listing its advantages. They stated that a
numeric identifier—
• Is more quickly and accurately
keyed in data-entry applications;
• Is more easily used in telephone
keypad applications;
• Does not require translation before
application of the check digit algorithm,
E:\FR\FM\23JAR2.SGM
23JAR2
�3442
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
and thus uses the full ability of the
check digit algorithm to detect keying
errors;
• Is compatible with ISO
identification card standards for a card
issuer identifier (discussed below),
while an alphanumeric identifier is not;
and
• Will require less change for systems
that currently use a numeric identifier.
Response: We find the stated
advantages of a 10-position numeric
identifier convincing. We have revised
proposed § 142.402 (now § 162.406(a))
to provide that the NPI will be a 10position numeric identifier, with the
10th position being an ISO standard
check digit. The use of a 10-digit
numeric NPI and our initial assignment
strategy will allow for 200 million
unique NPIs. We estimate 200 million
NPIs would last approximately 200
years, allowing for health care provider
growth, as discussed later in the
preamble of this final rule in section
V.D., ‘‘Specific Impact of the NPI.’’ If
additional capacity for NPIs is needed
in the future, additional numeric digits
will be added to the identifier at that
time. A modification to the NPI format
would be accomplished through
rulemaking. A 10-position numeric
identifier is specified in § 162.406(a).
Comment: Some commenters asked
that we clarify how the NPI would
appear when used as a card issuer
identifier on a standard health care
identification card. Commenters also
asked that we clarify any modification
made to the check digit algorithm to
allow the NPI to be used as a card issuer
identifier.
Response: In December 1997, an
American National Standard for a
Uniform Healthcare Identification Card
was approved by the National
Committee for Information Technology
Standards (NCITS), which is a
standards-developing organization
accredited by the American National
Standards Institute. The specification
for this standard, NCITS.284, is
available from the American National
Standards Institute, 11 West 42nd
Street, New York, New York 10036. One
identifier field on the standard health
care identification card is the card
issuer identifier. A card issuer identifier
is an identifier for an entity that issues
a health care identification card. In most
cases, the entity issuing a health care
identification card would be a health
plan; in some cases, however, the entity
could be a health care provider. We note
that, under HIPAA, health care
providers are neither required to issue
health care identification cards, nor to
use the NCITS.284 standard card. The
NCITS.284 standard requires that the
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
first five digits of the card issuer
identifier be ‘‘80840,’’ where the initial
two digits, 80, signify health
applications, the next three digits, 840,
signify United States. The remainder of
the card issuer identifier identifies the
entity that issued the card. In August
1996, the USA Registration Committee,
a standards-developing organization
accredited by the American National
Standards Institute, approved the NPI as
an identifier for a card issuer for use on
a standard health care identification
card. If the NPI is used to identify the
card issuer on a card that complies with
NCITS.284, the card issuer identifier
would consist of 15 positions as follows:
‘‘80840,’’ signifying health applications
in the United States, followed by the 10position NPI (the 9-position identifier
portion of the NPI, followed by the NPI
check digit).
We note that the initial five digits
‘‘80840’’ would be required with the
NPI only when the NPI is used as a card
issuer identifier on a standard health
care identification card. However, in
order that any NPI could potentially be
used as a component of the card issuer
identifier on a standard health care
identification card, the NPI check digit
calculation must always be performed
as though the NPI is preceded by
‘‘80840.’’ This is easily accomplished by
including a constant in the check digit
calculation when the NPI is used
without this prefix. The NPI check digit
is calculated using the ISO standard
Luhn check digit algorithm, a modulus
10 ‘‘double-add-double’’ algorithm. The
specification for calculation of the NPI
check digit will be made available on
the CMS Web site (http://
www.cms.hhs.gov). The specification
will explain how to compute the check
digit and how to verify an NPI using the
check digit, both when the ‘‘80840’’
prefix is present and when it is not.
Comment: A strong majority of
commenters supported our proposal
that the NPI be intelligence-free. A few
commenters stated that an intelligencefree identifier would not meet their
needs because their systems use the
facility provider type, which is coded as
part of the identifier in some current
systems.
Response: If the NPI were to include
intelligence, that is, coded information
about the health care provider, as part
of the identifier, a new NPI would have
to be issued any time the coded
information about the health care
provider changed. This would
undermine the lasting nature of the NPI.
For this reason we agree with the large
majority of commenters that the NPI not
contain intelligence about the health
care provider.
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
Comment: A small number of
commenters stated that the Taxpayer
Identifying Number (TIN) should be
selected, or reconsidered, as the
standard unique health identifier for
health care providers.
Response: The TIN is the identifier
under which the health care provider
reports a United States tax return to the
Internal Revenue Service (IRS). It can be
an SSN, assigned by the Social Security
Administration, or an IRS Individual
Taxpayer Identification Number (ITIN),
assigned by the IRS, or an EIN, assigned
by the IRS. A large number of
commenters on the ‘‘Data’’ section of the
May 7, 1998, NPI proposed rule stated
their opposition to dissemination of the
SSN except in strictly controlled
situations that fully comply with the
Privacy Act. Use of the SSN or the TIN
as the standard unique health identifier
for health care providers would require
the wide dissemination and use of the
SSN or TIN in the HIPAA transactions
under conditions that would not be
protected by the Privacy Act. The
majority of commenters did not support
the use of the SSN as the standard
unique health identifier for health care
providers for individuals.
Comment: The National Council for
Prescription Drug Programs requested
that we make several clarifications
regarding our reference to the National
Association of Boards of Pharmacy
(NABP) number, which we discussed as
a candidate identifier in the May 7,
1998, proposed rule.
Response: As requested, we note that
the NABP number has been renamed the
National Council for Prescription Drug
Programs (NCPDP) Provider Number. In
1997, the NCPDP and the NABP
mutually severed the contract made in
1977. The NCPDP has full responsibility
for maintenance of the pharmacy file.
The NCPDP Provider Number is issued
solely by NCPDP. All references to the
NABP number should be changed
instead to the NCPDP Provider Number.
Comment: A small number of
commenters stated that the proposed
NPI would not meet one or more of the
selection criteria for standards or would
not be consistent with the law because
it would not reduce the administrative
costs of providing and paying for health
care. These kinds of comments cited the
high costs of developing and operating
a new system for health care provider
enumeration.
Response: Elsewhere in this preamble,
we discuss how the collection of health
care provider data and the enumeration
of health care providers can be
satisfactorily accomplished with the NPI
and how those associated costs can be
kept to a minimum. We acknowledge
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
that organizations will incur costs in the
move to a standard enumeration
process. After the initial
implementation, however, we believe
that the costs will diminish
significantly, and that long-term use of
a standard identifier will be costeffective.
Final Provisions (§ 162.406(a))
We are adopting the NPI format of an
all-numeric identifier, 10 positions in
length, with an ISO standard check-digit
in the 10th position (§ 162.406(a)). The
NPI will not contain intelligence about
the health care provider. This format
and our assignment strategy will allow
for at least 200 million unique NPIs.
4. Effective Date and Compliance Dates
Proposed Provisions (§ 142.410)
The May 7, 1998, proposed rule
proposed the compliance dates for the
standard unique health identifier for
health care providers.
The May 7, 1998, proposed rule
proposed that:
• Each health plan that is not a small
health plan must comply with the
requirements of § 142.104 and § 142.404
by 24 months after the effective date of
the final rule.
• Each small health plan must
comply with the requirements of
§ 142.104 and § 142.404 by 36 months
after the effective date of the final rule.
• Each health care clearinghouse and
health care provider must begin using
the NPI by 24 months after the effective
date of the final rule.
Comments and Responses on Effective
Date and Compliance Dates
Comment: An overwhelming number
of commenters requested that there be
an extended period of time between the
publication of the NPI final rule and the
date the implementation period for the
NPI would begin. Commenters stated
that their resources were fully
committed to millennium issues and
that those resources could not be used
to address the numerous changes
needed to implement the NPI until after
the millennium work was satisfactorily
completed. Some commenters asked
that we publish the final rule on
Standards for Electronic Transactions
before any of the other rules.
Response: Work on the millennium is
complete. Many commenters are
undoubtedly expending resources at
this time in implementing the HIPAA
Privacy Rule (65 FR 82462 and 67 FR
53182), the Transactions Rule (65 FR
50312 and 68 FR 8381), the Security
Rule (68 FR 8334) and the Employer
Identifier Rule (67 FR 38009). The
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
reader should note that we published
the Transactions Rule (65 FR 50312)
before any of the other HIPAA final
rules. The National Provider System
(NPS) will be a large, complex system.
Its development cannot be finalized
until publication of this final rule. The
NPS must operate efficiently and be
capable of performing many operations.
It must undergo testing to ensure proper
operation of all functions and must pass
a variety of stress tests. To ensure
adequate time for completion of system
development and testing, we set the
effective date of this final rule to be 16
months after publication in the Federal
Register. Covered entities will need to
be in compliance no later than 24
months after the effective date (36
months for small health plans). While
the purpose of this extended effective
date is to allow HHS sufficient time for
NPS development and testing, it will
also permit health care entities
sufficient time to accommodate changes
needed in order to implement the NPI.
Final Provisions (§ 162.404)
We set the effective date and
compliance dates as follows:
a. Effective date of this final rule. The
effective date of the NPI is May 23,
2005. The effective date of this final rule
marks the beginning of the
implementation period for the NPI.
b. Compliance dates of the NPI. We
adopt the requirement that covered
entities (except small health plans) must
obtain an NPI and must use the NPI in
standard transactions no later than May
23, 2007. Small health plans must do so
no later than May 23, 2008.
If the Secretary adopts a modification
to this standard, the compliance date of
the modification would be no earlier
than the 180th day following the
adoption of the modification. The
Secretary would determine the actual
date, taking into account the time
needed to comply due to the nature and
extent of the modification. The
Secretary would be able to extend the
time for compliance with any
modification by small health plans by
rulemaking, if he determines that an
extension is appropriate.
5. Implementation Specifications for
Health Care Providers, Health Plans,
and Health Care Clearinghouses
Proposed Provisions (§ 142.404,
§ 142.406, and § 142.408)
In section II. E., ‘‘Requirements,’’ of
the preamble of the May 7, 1998,
proposed rule (63 FR 25330), we
discussed the requirements that health
plans, health care clearinghouses, and
covered health care providers would
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
3443
have to meet in implementing the NPI.
The proposed regulation text, in
§ 142.404, stated that health plans
would be required to accept and
transmit, directly or through a health
care clearinghouse, the NPI on all
standard transactions wherever
required. The proposed regulation text,
in § 142.406, stated that health care
clearinghouses would be required to use
the NPI wherever a standard electronic
transaction requires it.
The preamble of the May 7, 1998,
proposed rule (63 FR 25330) states: ‘‘In
§ 142.408, Requirements: Health care
providers, we would require each health
care provider that needs an NPI for
HIPAA transactions to obtain, by
application if necessary, an NPI * * *’’
Section 142.408(a) of the proposed
regulation text states: ‘‘Each health care
provider must obtain, by application if
necessary, a national provider
identifier.’’ The text of the proposed
rule states, in § 142.408(c): ‘‘Each health
care provider must communicate any
changes to the data elements in its file
in the national provider system to an
enumerator of national provider
identifiers within 60 days of the
change.’’
Comments and Responses on
Requirements for Health Care Providers,
Health Plans, and Health Care
Clearinghouses
We believe that the Congress intended
that each health care provider be
eligible for an NPI and intended to
authorize the Secretary to require
covered health care providers to obtain
one. HIPAA requires the adoption of a
standard unique health identifier for
health care providers and directs the
Secretary to specify the purposes for
which the identifier may be used. The
statute sets forth the maximum amount
of time by which all covered entities
must comply with the standards,
leaving discretion to the Secretary to
designate compliance dates (within the
limitations of the law). We proposed in
the May 7, 1998, proposed rule, and
require in this final rule, that covered
entities must be in compliance with the
standards no later than 2 years (3 years
for small health plans) from the effective
date of the regulation. Thus, as of the
compliance date, a covered health care
provider must have obtained and begun
to use an NPI.
Comment: Some commenters
recommended that all data about a
health care provider in the NPS be
required to be updated; others stated
that only certain data elements should
be required to be updated. Most
indicated that data needed for unique
identification should be kept current.
E:\FR\FM\23JAR2.SGM
23JAR2
�3444
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
Response: In the proposed rule, the
NPS was proposed to include many data
elements that we have since decided not
to include. (See section II. C. 2. of this
preamble, ‘‘Data Elements and Data
Dissemination.’’) We have decided that
the NPS will consist entirely of data
elements about a health care provider
that are needed for administrative
(communications) purposes and for the
unique identification of the health care
provider. We believe it is appropriate
and necessary for the health care
providers to notify the NPS of changes
in their required NPS data, but, given
limits on our statutory authority, we can
require such notification only of
covered health care providers.
Comment: We received many
comments concerning the length of time
a health care provider should be
allowed before it must notify the NPS of
changes to its NPS data. Most
commenters thought that the 60-day
period was too long and believed a 15to-30-day period was more appropriate.
Response: The May 7, 1998, proposed
rule at § 142.408(c) proposed 60 days to
allow reasonable flexibility in the time
required for a health care provider to
complete a paper form (the NPI
application/update form) containing the
update(s) and forward it to the NPS. We
will attempt to design the NPS to be
responsive and easy to use. We will
consider a design that will allow a
health care provider (or possibly a
health care provider’s authorized
representative (see section II. B. 2.,
‘‘Health Care Provider Enumeration,’’ of
this preamble)) to communicate the
health care provider’s changes directly
into the NPS over the Internet, using a
secure Web-based transaction. A paper
form (the NPI application/update form)
will be developed for this same purpose
and will be available from the NPS and
from the CMS Web site (http://
www.cms.hhs.gov) for use by health care
providers. We realize that many health
care providers may prefer to send
electronic updates if the capability
exists. According to the majority of
commenters, health care providers
should be required to communicate
changes in their NPS data in far less
than 60 days. We agree. Therefore, we
adopt in this final rule a requirement
that covered health care providers notify
the NPS of changes in their required
NPS data within 30 calendar days of the
changes (§ 162.410(a)(4)).
Comment: Several commenters
indicated that health plans will need to
know about changes in health care
provider information. Commenters did
not believe it would be fair for health
care providers to have to notify both the
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
NPS and the health plans in which they
are enrolled of changes.
Response: We agree that health plans
will need to know of changes in the data
associated with their enrolled health
care providers. Most health plans collect
more information about a health care
provider than the NPS will collect.
Therefore, we expect that health plans
will still require health care providers to
notify them of changes in this
information. The NPS will have the
capability to provide listings or reports
of changes in NPS data in accordance
with section II. C. 2. of this preamble,
‘‘Data Elements and Data
Dissemination.’’
Comment: Several commenters stated
that the NPS should be required to
apply updates within a specified period
of time after receipt of the updated
information from a health care provider.
Response: We expect that the update
process will be designed in a way that
will allow the system to process updates
within a reasonable timeframe (for
example, 10 business days from receipt).
The volume of updates at any given
time may impact system performance. If
changes are unable to be made (for
example, the health care provider
furnishing updates does not appear to
match any health care provider in the
NPS), the health care provider will
receive a message that will indicate why
the NPS is unable to update the record.
The message will request that the
problem be resolved and the
information be resubmitted.
Comment: Several commenters asked
if health plans should take any action to
notify the NPS of changes to health care
provider data if they become aware of
these changes.
Response: Although health plans
would not be required to provide
information to the NPS to update health
care provider data, we encourage health
plans to instruct and remind their
enrolled health care providers to notify
the NPS of changes in their data.
Comment: There were numerous
comments about penalties for non-use of
the NPI:
• If NPIs could not be assigned to
covered health care providers before the
compliance date for those health care
providers, and sufficiently ahead of that
time to enable the health care providers
to be capable of using the NPI in
standard transactions, penalties should
not be enforced for nonuse of the NPI.
• Sufficient time should elapse to
ensure adequate experience in using the
NPI before penalties are assessed.
• Financial penalties for
noncompliance should not be assessed
until 1 year after the NPI compliance
dates.
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
• The method of enforcing
compliance with the standard should be
made public.
• The penalties for nonuse of a single
standard and nonuse of multiple
standards should be clarified.
• When noncompliance forces
nonpayment, the entity expecting
payment will resolve the issue.
Response: NPIs will be assigned to
health care providers as quickly as
possible and within the parameters of
the performance criteria that are in
effect. (See earlier comment and
response for additional information.)
HHS is preparing, and has issued in
part, a separate regulation on
enforcement of the HIPAA standards.
This regulation is expected to address
all but perhaps the last concern of these
commenters. The regulation cannot
place requirements on entities that are
not covered entities, and the entities
involved in the situation described in
the last bullet may not be covered
entities.
Comment: Many commenters
suggested that (1) health care providers
not be required to use the NPI within
the first year after the effective date of
its adoption, although willing trading
partners could use the NPI by mutual
agreement at any time after the effective
date; and (2) health plans should give
their health care providers at least 6
months’ notice before requiring them to
use the NPI.
Response: Upon the effective date of
the adoption of this standard (which
will be 16 months after the date it is
published), health care providers may
apply for NPIs. Covered entities (except
for small health plans) must begin using
the NPI in standard transactions no later
than 24 months after the effective date.
(Small health plans have 36 months to
begin using NPIs.) These are statutory
requirements that we have incorporated
into this final rule. We believe these
timeframes enable more than sufficient
time for covered health care providers to
become aware of their responsibilities
under this final rule, to apply for and be
assigned their NPIs, and to complete
work needed to begin using their NPIs.
Applying for an NPI up to 18 months
after the effective date of the adoption
of this standard will still give health
care providers 6 months before the
statutory compliance date arrives. We
encourage health plans to give health
care providers 6 months’ notice before
requiring them to use NPIs; however, we
do not require that action by the health
plans. How soon health care providers
could use NPIs would depend on when
they obtained the NPIs, and health plans
have no direct control over that action.
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
We encourage all parties to work
together to ensure a smooth transition.
Final Provisions (§ 162.410, § 162.412,
§ 162.414)
All health care providers are eligible
for NPIs.
We require each covered health care
provider to obtain an NPI from the NPS,
by application if necessary, for itself and
for its subparts, if appropriate, and to
use its NPI in standard transactions.
Covered health care providers must
disclose their NPIs to other entities that
need those health care providers’ NPIs
for use in standard transactions.
Covered health care providers must
communicate to the NPS any changes in
their required data elements within 30
days of the change. If covered health
care providers use business associates to
conduct standard transactions on their
behalf, they must require their business
associates to use NPIs appropriately as
required by the transactions the
business associates conduct on its
behalf.
Situations exist in which a standard
transaction must identify a health care
provider that is not a covered entity. An
organization health care provider
subpart may need to be identified in a
standard transaction but the
organization health care provider may
not be required to obtain an NPI for the
subpart. A noncovered health care
provider may or may not have applied
for and received an NPI. In the latter
case, and in the case of the subpart
described above, an NPI would not be
available for use in the standard
transaction. We encourage every health
care provider to apply for an NPI, and
encourage all health care providers to
disclose their NPIs to any entity that
needs that health care provider’s NPI for
use in a standard transaction. Obtaining
NPIs and disclosing them to entities so
they can be used by those entities in
standard transactions will greatly
enhance the efficiency of health care
transactions throughout the health care
industry. If subparts are assigned NPIs,
the covered health care provider must
ensure that the subpart’s NPI is
disclosed, when requested, to any entity
that needs to use the subpart’s NPI in a
standard transaction.
Here are examples that illustrate the
desirability for a health care provider
that is not required to be enumerated to
obtain and disclose an NPI:
(1) A pharmacy claim that is a
standard transaction must include the
identifier (which, as of the compliance
date, would be the NPI) of the
prescriber. Therefore, the pharmacy
needs to know the NPI of the prescriber
in order to submit the pharmacy claim.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
The prescriber may be a physician or
other practitioner who does not conduct
standard transactions. The prescriber is
encouraged to obtain an NPI so it can be
furnished to the pharmacy for the
pharmacy to use on the standard
pharmacy claim.
(2) A hospital claim is a standard
transaction and it may need to identify
an attending physician. The attending
physician may be a physician who does
not conduct standard transactions. The
physician is encouraged to obtain an
NPI so it can be furnished to the
hospital for the hospital to use on the
standard institutional claim.
In the examples above, the NPI of a
health care provider that is not a
covered entity is needed for inclusion in
a standard transaction. The absence of
NPIs when required in those claims by
the implementation specifications may
delay preparation or processing of those
claims, or both. Therefore, we strongly
encourage health care providers that
need to be identified in standard
transactions to obtain NPIs and make
them available to entities that need to
use them in those transactions.
Under § 162.410 (Implementation
specifications: Health care providers),
we require each covered health care
provider to:
• Obtain from the NPS, by
application if necessary, an NPI for itself
and, if appropriate, for its subparts.
• Use the NPI it obtained from the
NPS to identify itself in all standard
transactions that it conducts where its
health care provider identifier is
required.
• Disclose its NPI, when requested, to
any entity that needs the NPI to identify
that health care provider in a standard
transaction.
• Communicate to the NPS any
changes to its required data elements in
the NPS within 30 days of the change.
• If it uses one or more business
associates to conduct standard
transactions on its behalf, require its
business associate(s) to use its NPI and
the NPIs of other health care providers
appropriately as required by the
transactions the business associate(s)
conducts on its behalf. (For example, a
claim for a laboratory service will
require the NPI of the laboratory and
may also require the NPI of the referring
physician. If a business associate
prepares the laboratory claim, the
business associate must use the
laboratory’s and the referring
physician’s NPIs. If the business
associate does not already know the NPI
of the referring physician, it may have
to contact the referring physician to
obtain his or her NPI.)
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
3445
• If it has been assigned NPIs for one
or more subparts, comply with the
above requirements with respect to each
of those NPIs.
Under § 162.412 (Implementation
specifications: Health plans), we require
health plans to: use the NPI of any
health care provider (including subparts
of organization health care providers)
that has been assigned an NPI to
identify that health care provider (or
subpart) in all standard transactions
where the health care provider’s (or
subpart’s) identifier is required. Health
plans may not require health care
providers that have been assigned NPIs
to obtain additional NPIs.
Under § 162.414 (Implementation
specifications: Health care
clearinghouses), we require health care
clearinghouses to use the NPI of any
health care provider (including subparts
of organization health care providers)
that has been assigned an NPI to
identify that health care provider (or
subpart) in all standard transactions
where that health care provider’s (or
subpart’s) identifier is required.
B. Implementation of the NPI
1. The National Provider System
Proposed Provisions (§ 142.402)
The May 7, 1998, proposed rule (at 63
FR 25331) described the National
Provider System (NPS) as a central
electronic enumerating system. The
system would be a comprehensive,
uniform system for identifying and
uniquely enumerating health care
providers at the national level. The
Department of Health and Human
Services (HHS) would exercise overall
responsibility for oversight and
management of the system.
Comments and Responses on the
National Provider System
We did not receive comments specific
to our description of the NPS. However,
commenters were emphatic that the
NPS be fully tested before it began
assigning NPIs, and that the system
ensure that the same NPI would not be
issued to more than one health care
provider. Commenters also suggested
that an option be made available by
which health care providers could apply
for NPIs electronically in lieu of
completing a paper application form.
This comment is addressed in section
II. B. 2. of this preamble, ‘‘Health Care
Provider Enumeration.’’
Final Provisions (§ 162.408(a))
NPIs will be assigned to health care
providers by the NPS, which will be a
central electronic enumerating system
operating under Federal direction. The
E:\FR\FM\23JAR2.SGM
23JAR2
�3446
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
NPS will uniquely identify and
enumerate health care providers at the
national level. The NPS may enumerate
subparts of organization health care
providers.
The NPS will be designed to be easy
to use. The design will employ the latest
technological advances wherever
feasible for capturing health care
provider data and making information
available to users. This is discussed in
section II. C. 2. of this preamble, ‘‘Data
Elements and Data Dissemination.’’
HHS will exercise overall
responsibility for oversight and
management of the NPS. The NPS will
include a database that will store the
identifying and administrative
information about health care providers
that are assigned NPIs. The data
elements comprising the NPS are
described and listed in section II. C. 2.
of this preamble, ‘‘Data Elements and
Data Dissemination.’’
Identifying and uniquely enumerating
health care providers for purposes of the
NPI is separate from the process that
health plans follow in enrolling health
care providers in their health programs.
The NPS will assign NPIs to health care
providers. However, the assignment of
the NPI will not eliminate the process
that health plans follow in receiving and
verifying information from health care
providers that apply to them for
enrollment in their health programs.
Health care providers will submit
applications for NPIs to HHS. As health
care provider data are entered into the
NPS from the application, the NPS will
check the data for consistency,
standardize addresses, and validate the
Social Security Number (SSN) if the
individual applying for an NPI provides
it; the NPS will validate the date of birth
only if the SSN is validated. (If a health
care provider chooses not to furnish his
or her SSN when applying for an NPI,
the assignment of an NPI to that health
care provider may be delayed and
additional information may be
requested from that health care provider
in order to establish uniqueness.) If the
NPS encounters problems in processing
the application, appropriate messages
will be communicated to the applicant.
If problems are not encountered, the
NPS will then search its database to
determine whether the health care
provider already has an NPI. If a health
care provider has already been issued an
NPI, an appropriate message will be
communicated. If not, an NPI will be
assigned. If the health care provider is
similar (but not identical) to an alreadyenumerated health care provider, the
situation will be investigated. Once an
NPI is assigned, the health care provider
will be notified of its NPI.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
2. Health Care Provider Enumeration
In section III of the preamble of the
May 7, 1998, NPI proposed rule,
‘‘Implementation of the NPI’’ (at 63 FR
25331), we asked for comments on the
entity or entities that would be
responsible for assigning NPIs to health
care providers. We explained that the
HIPAA legislation did not contain a
specific funding mechanism for
activities related to enumeration. We
asked for comments on how the
enumeration activity and the NPS itself
could be funded, and how the costs of
enumeration could be kept as low as
practicable. We presented two options
for the enumeration of health care
providers: (1) All health care providers,
except existing Medicare providers,
would be enumerated by a single entity.
Existing Medicare providers would
automatically be enumerated and would
not have to apply for NPIs; (2) Federal
health plans and Medicaid would
enumerate their enrolled health care
providers, and a federally-directed
registry would enumerate all remaining
health care providers. We also presented
a phased approach to enumeration and
requested public comment on it. In the
phased approach, we proposed that
enumeration would occur in the
following order: (1) Medicare providers;
(2) Medicaid, other Federal providers,
and health care providers that do not
conduct business with Federal health
plans or Medicaid but that do conduct
electronically any of the transactions
specified in HIPAA; and (3) all
remaining health care providers. The
May 7, 1998, proposed rule also stated
that phase three would not begin until
phases one and two were completed.
Comments and Responses on Provider
Enumeration
Comment: Several commenters stated
that it would cost more than our
estimate of $50 to enumerate a health
care provider; others believed our
estimate of $50 to be reasonable. Some
commenters pointed out that Federal
and Medicaid health plans do not
maintain all of the information about
health care providers that would be
required to assign NPIs; thus, if those
health plans’ prevalidated health care
provider files were to be used to
populate the NPS, costs might exceed
$50 per health care provider in order to
obtain the missing information needed
to assign NPIs. Commenters also
pointed out that the cost to enumerate
an entity that furnishes atypical or
nontraditional services would exceed
$50.
Response: We respond to these issues
as follows:
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
• We agree with the comment that
there may be situations where
information in addition to what is
contained in existing health care
provider files will be required in order
to assign NPIs. For example, we have
found that some Medicaid and Medicare
provider files do not contain all of the
information required to assign an NPI.
Populating the NPS with existing files
that lack certain required NPS data
elements increases the cost of
enumeration because additional
resources would be needed to collect
the missing information.
• Any inconsistencies or errors that
are present in health care provider files
that are considered to be used to
populate the NPS would be imported
into the NPS as part of that process.
Resolving these inconsistencies and
errors before loading these files will
require resources and time. This will
increase the cost of enumeration and
possibly slow the process.
• Where the format or structure of a
health care provider file being
considered for use in populating the
NPS differs from the format or structure
of the NPS, additional costs will be
incurred in attempting to conform that
source file to the NPS.
• As discussed in section II. C. 2. of
this preamble, ‘‘Data Elements and Data
Dissemination,’’ we are reducing the
amount of health care provider
information being captured by the NPS
to only that which is required to
uniquely identify and communicate
with the health care provider. Some of
the information that will not be
collected is the kind that is costly to
collect, such as membership in groups,
certification and school information.
Not collecting these health care provider
data lowers the cost of enumeration.
• On applications for NPIs from
individuals, the NPS will verify the SSN
if it is furnished on the application.
• Problems in processing the
applications will have to be resolved.
This will increase the cost of
enumeration.
• The NPS will be designed,
wherever feasible, to take advantage of
technologies that will make its
operation efficient. This may include
the use of the Internet to accept
applications and updates from health
care providers. While up-front costs will
be higher for some designs, the more
efficient the design and operation of the
NPS, the lower the cost of enumeration
and ongoing operations.
Medicare Part B carriers indicated in
comments that it costs about $50 to
enroll a health care provider in the
Medicare program. This process
involves reviewing and validating a
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
paper application containing far more
information than will be collected and
validated on the NPI application/update
form. The NPS will verify the SSN only
if it is furnished in applying for an NPI;
the date of birth will be verified only if
the SSN is furnished. The NPS will run
various edits and consistency checks
and will check for duplicate records to
ensure that only one NPI is assigned to
a health care provider and that the same
NPI is not assigned to more than one
health care provider. Enabling the
receipt of Web-based applications and
the limited validation will make the cost
of enumerating a health care provider
far less than enrolling a health care
provider in a health plan. The majority
of atypical and nontraditional service
providers are not considered health care
providers and, therefore, would not be
eligible for NPIs. The use of modern
technology to receive and process
applications for NPIs makes it difficult
if not impossible to attach a dollar value
to the enumeration of a single provider.
Implicit in enumeration are the costs of
software, licenses, salaries, training, and
overhead. We estimate that the
combination of all of the above factors
would reflect an average cost of
enumerating a single health care
provider to be closer to $10.
Comment: The majority of
commenters favored enumeration
option 1, where a single entity would
enumerate all health care providers
except existing Medicare providers
(who would automatically be
enumerated). (The May 7, 1998,
proposed rule recommended
enumeration option 2, which would
have required Federal health plans and
Medicaid to enumerate their enrolled
health care providers, with a federallydirected registry enumerating all
remaining health care providers.) The
supporters of a single enumeration
entity cited the following advantages of
option 1: (1) It would be less costly than
multiple enumeration entities; (2) it
would ensure uniform operation of the
enumeration process, reducing
inconsistencies that could lead to
duplicate assignment of NPIs; (3) it
would be less confusing to health care
providers, particularly those that
participate in multiple health plans; (4)
it would be a single point of contact
with which to do business and seek
help and information; and (5) it would
ensure uniformity in resolving problems
and would be more capable and
efficient in responding to data integrity
issues that may require investigation.
Comments from Federal health plans
and Medicaid State agencies (which
were the proposed enumeration entities
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
under option 2) stated that they
preferred not to have a role as an
enumerator. Some Federal health plans
anticipated that too many health care
providers would request that they
handle their updates and changes.
Medicaid State agencies indicated that
they would require additional Federal
funding to assume the responsibilities of
enumeration.
Nonetheless, some commenters did
support option 2. They stated that
having Federal health plans and
Medicaid State agencies enumerate their
own health care providers had several
advantages: (1) These entities already
conduct a significant amount of
enumeration activity in their health
plan enrollment processes, which
would bring a wealth of experience to
the NPI enumeration process; (2) much
of the information required to assign an
NPI to a health care provider is already
collected by these entities; (3) fraud
detection would be enhanced because,
as enumeration entities, they would
have access to the data in the NPS; and
(4) the initial cost of enumerating health
care providers would be incremental to
these entities, a major factor in making
option 2 less costly than option 1.
Response: After analyzing all the
comments and reviewing our
computations as to the costs of
enumeration under both options, we
have determined that a single entity,
under HHS direction, should handle the
enumeration functions. We believe that
enumeration by a single entity will be
the most efficient option.
While supporters of option 2 cited
several advantages, the reluctance of the
Federal health plans and Medicaid State
agencies to undertake enumeration
functions was a major factor causing us
to support a single entity. Selection of
option 2 would have required those
Federal health plans and Medicaid State
agencies to perform functions they were
not willing to perform. Another factor in
our decision to choose option 1 was an
oversight in our cost computations.
While our narrative discussion of costs
indicated that prevalidated Medicare
provider files would populate the NPS
under both options, Table 5 in the
Impact Analysis portion of the May 7,
1998, proposed rule did not reflect those
savings in the cost of option 1. If those
savings had been reflected, the cost of
option 1 would have been less. (Please
see the next comment and response
regarding Medicare provider files.) Costs
for option 2 did not include the
expenses that would be incurred by
Federal health plans and Medicaid State
agencies in resolving problems found in
their health care provider records that
would prevent some of those records
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
3447
from being loaded into the NPS for
enumeration of the health care
providers. This would have increased
the cost of option 2. Had we applied
both of these cost factors, both options
would cost about the same.
The use of one entity, under HHS
direction, to enumerate health care
providers will ensure uniform operation
of the NPS. Health care providers will
have a single contact point for
applications, updates, and questions.
Problems will be resolved in a uniform
manner. These factors make a single
enumerator the more efficient option.
Comment: Several commenters
cautioned against loading pre-existing
health care provider files into the NPS.
They indicated that any errors present
in those files would be carried
undetected into the NPS. Commenters
cautioned that any data to be loaded
into the NPS should be validated,
accurate, and up to date.
Response: We agree with the
commenters’ recommendation that
accurate, current data should be
included in the NPS. After publication
of the May 7, 1998 proposed rule, we
reexamined the existing Medicare
provider files in anticipation of using
them to populate the NPS. Our
reexamination revealed that some
mandatory NPS data elements are not
present in some of the Medicare files. In
addition, data integrity problems have
been identified, and reformatting some
of the Medicare files to make them
consistent with the structure of the NPS
may be more difficult than first
expected. It may require considerable
time to update and reformat these files
for NPS purposes.
It is important to note that we are
undertaking steps to update our existing
Medicare provider files for independent
business reasons. If we find it is feasible
to use updated, accurate Medicare
provider files to populate the NPS, we
will do so, and we will notify the
affected Medicare providers that they
will not have to apply for NPIs. The
NPS will notify the affected providers of
their NPIs.
Comment: Nearly all commenters
recommended that the enumeration
function and operation of the NPS be
federally funded because a Federal
statute mandates the adoption and use
of a standard unique health identifier
for health care providers. Many
commenters stated that the costs cannot
be borne directly by health care
providers or indirectly by health care
provider organizations and clearly
stated that health care providers should
receive NPIs at no cost. Some stated that
if fees need to be assessed, they should
come from the health plans, not the
E:\FR\FM\23JAR2.SGM
23JAR2
�3448
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
health care providers, as the health
plans will receive the most benefit from
the use of the standard. There was some
support for the collection of initial fees
from health plans, health care
clearinghouses, and other nonprovider
entities to obtain data from the NPS; the
fees would help offset the cost of
maintaining the database. Another
commenter recommended that the
public sector and large health plans pay
fees to a public-private sector trust
organization. The fees would represent
their proportion of the total health
benefit dollars; the trust organization
would administer various databases
required by the HIPAA standards (not
solely the NPS). One commenter
suggested Federal funds be used
initially, with the enumeration entity
eventually becoming self-sufficient.
Response: HIPAA did not provide the
authority to charge health care providers
a user fee to obtain an NPI. Federal
funds will support the enumeration
process and the NPS, at least initially.
After the NPI is implemented, HHS will
investigate the use of other funding
mechanisms. The data dissemination
process is discussed in section II.C.2.,
‘‘Data Elements and Data
Dissemination,’’ of this preamble.
Comment: Some commenters
supported the phases of enumeration as
described in the May 7, 1998, proposed
rule. Many commenters supported
assignment of NPIs to existing Medicare
providers first for these reasons: (1)
These health care providers are the
majority of the health care providers
that conduct standard transactions; (2)
the NPS is being developed by HHS;
and (3) Medicare provider information
is already available in HHS in the
Centers for Medicare & Medicaid
Services (CMS).
Many commenters stated that health
care providers that do not conduct the
transactions specified in HIPAA should
be enumerated at the same time as all
other health care providers—all health
care providers must be equally able to
receive NPIs. Many of these commenters
believed that costly dual systems would
have to be maintained (one for health
care providers with NPIs and one for
those without) and confusion in the
marketplace would be created if paper
processors did not also receive NPIs
within the same time frame as electronic
processors.
Other commenters suggested that
NPIs be issued on a first-come, firstserved basis.
Some commenters suggested
enumeration phases by health care
provider type or by geographical region
of the country.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Response: The NPS will be stress
tested, but even successful passage of
the stress test will not enable all health
care providers to apply for and be
assigned NPIs at the same time.
Covered health care providers are
required to use NPIs where those
identifiers are required in standard
transactions. We expect that covered
health care providers will be the first to
apply for NPIs. We estimate that, on the
effective date of the NPI, approximately
2.3 million health care providers will be
ready to apply for NPIs. They may apply
for NPIs beginning on the effective date,
which is May 23, 2005. Covered health
care providers must begin to use their
NPIs in standard transactions no later
than May 23, 2007.
We estimate that, on the effective date
of the NPI, the number of health care
providers that typically do not conduct
standard transactions will be
approximately 3.7 million. A few
examples of these health care providers
are registered nurses employed by
hospitals or other facilities, X-ray and
other technicians, and dental hygienists.
These health care providers may apply
for NPIs at any time after the effective
date of this final rule. However, because
there is no requirement for these health
care providers to use NPIs, we do not
expect them to apply for NPIs as soon
as those that conduct standard
transactions or those that must be
identified in standard transactions.
It may be determined some time after
publication of this final rule that ‘‘bulk
enumeration’’ of some health care
providers is feasible. Bulk enumeration
is a term used to mean massenumeration of a large number of health
care providers, all at one time, from a
database or file that uniquely identifies
them in a way consistent with the
identification criteria in this final rule.
Bulk enumeration would eliminate the
need for those health care providers to
apply for NPIs. For example, bulk
enumeration might involve a specific
classification of health care providers
that comprises the membership of a
large professional organization, or it
could involve different classifications of
health care providers that are employed
by one large organization health care
provider. In both of these examples, the
health care providers to be enumerated
may or may not be covered entities. This
enumeration could occur at any time, if
it is feasible. HHS, along with the other
affected entities, and working within the
requirements of the Privacy Act, will
determine the feasibility of bulk
enumeration. Any health care provider
that would be enumerated in this way
will be notified.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
The NPS will process applications for
NPIs as they are received.
It is true that some health plans may
have to maintain—for internal
purposes—dual health care provider
numbers: the NPI and the number(s)
issued to health care providers by the
health plans themselves. Health plans
impose this burden on themselves in
accommodating their own internal
operational needs. We expect that
health plans may decide to use NPIs for
additional purposes beyond those
required in this final rule.
Comment: The majority of
commenters made it clear that NPIs
must be assigned and the NPS fully and
successfully tested well before the
compliance date.
Response: We agree. The NPS will
have been fully tested before it begins to
assign NPIs. The speed of assignment of
NPIs will be dependent in part on the
complete, correct, and timely
submission of the NPI applications.
Comment: Several commenters stated
that the application forms for NPIs
should be retained indefinitely in a
manner where the signatures or
certification statements could be
verified if necessary. Commenters stated
that signatures or certification
statements could be useful in
prosecuting a health care provider that
knowingly requested more than one NPI
for itself.
Response: The NPI application forms
will contain a statement whereby the
signer attests to the accuracy of the
information on the application. Paper
applications will be maintained
indefinitely for signature or certification
statement verification and audit
purposes. Applications completed
electronically will be processed only if
the person completing the application
attested to the accuracy of the
information by ‘‘checking’’ a designated
box appearing in the on-line
application. Those electronic
applications that are successfully
processed (that is, the health care
provider is assigned an NPI) will be
maintained indefinitely in a manner
whereby certification statements can be
verified if required.
Comment: Several commenters asked
that the NPI application form be
designed to accommodate updates to
health care provider data.
Response: We believe this is a good
suggestion, particularly because all of
the information that will be required on
the application for an NPI will have to
be updated if changes occur. Therefore,
we will attempt to design a form that
can serve both application and update
purposes.
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
Final Provisions
One entity will be given enumeration
functions under the direction of HHS
(option 1 as presented in the May 7,
1998, proposed rule) to enumerate all
eligible health care providers who apply
for NPIs. There are many advantages in
using a single entity, which were
discussed in the comment and response
section above.
The enumeration function and the
development and operation of the NPS
will be federally funded, at least for the
foreseeable future. Under this final rule,
health care providers will not be
charged a fee to be assigned NPIs or to
update their NPS data.
If feasible, we will populate the NPS
with Medicare provider files.
Health care providers will apply for
NPIs, and covered health care providers
must apply for NPIs.
We will attempt to design the NPI
application form in order to also
accommodate updates. The form will be
available from the NPS and via the
Internet (http://www.cms.hhs.gov).
We will attempt to design the NPS so
that it can receive and accept NPI
applications and updates on paper or
over the Internet.
We expect that the use of modern
technology to receive and process
applications for NPIs and to apply
updates to the NPS records of
enumerated health care providers will
greatly reduce our earlier estimates. In
addition, the limited validation by the
NPS of data reported by health care
providers will further reduce NPS costs.
We discuss the cost of operating the
NPS in section V, ‘‘Regulatory Impact
Analysis,’’ of this preamble.
Before enumeration begins, the NPS
will be fully tested. We will strive to
ensure that the NPS functions properly
and guards against assigning the same
NPI to more than one health care
provider, assigning more than one NPI
to the same health care provider, and reusing NPIs (assigning to a health care
provider an NPI that had at one time
been issued to another).
Health care providers may apply for
NPIs beginning on the effective date of
this final rule.
At this time, we do not expect bulk
enumeration of health care providers,
except possibly of Medicare providers,
as discussed earlier. HHS will explore
the feasibility of other such
enumerations. If considered feasible, the
affected health care providers will be
notified and will not have to apply for
NPIs.
We will consider the feasibility of
allowing health care providers to
designate authorized representatives to
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
handle their NPI applications and
updates.
Applications for NPIs and updates
will be retained by HHS indefinitely in
a manner in which signatures on paper
applications or certification statements
on electronic applications can be
verified if required.
We will make available as much
information as possible about the
implementation of the NPI on the CMS
Web site (http://www.cms.hhs.gov).
The web site will include information
about the availability and submission of
the NPI application/update form.
3. Approved Uses of the NPI
The preamble of the May 7, 1998,
proposed rule discussed approved uses
of the NPI. We did not receive
comments that objected to those uses.
By 24 months after the effective date
of this final rule, covered health care
providers, health plans (except for small
health plans), and health care
clearinghouses must use the NPI in
standard transactions. Small health
plans must do so within 36 months of
the effective date. Covered health care
providers must disclose their NPIs to
other entities when these entities need
to include those health care providers’
NPIs in standard transactions. We
encourage all other health care
providers to do the same.
The NPI may also be used for any
other lawful purpose requiring the
unique identification of a health care
provider. It may not be used in any
activity otherwise prohibited by law.
Examples of permissible uses include,
in addition to the above, the following:
• The NPI may be used as a crossreference in health care provider fraud
and abuse files and other program
integrity files.
• The NPI may be used to identify
health care providers for debt collection
under the provisions of the Debt
Collection Improvement Act of 1996
(Pub. L. 104–134, enacted on April 26,
1996) and the Balanced Budget Act of
1997 (Pub. L. 105–33, enacted on
August 5, 1997).
• Health care providers may use their
own NPIs to identify themselves in
nonstandard health care transactions
and on related correspondence.
• Health care providers may use other
health care providers NPIs to identify
those other health care providers in
health care transactions and on related
correspondence.
• Health plans may use NPIs in their
internal health care provider files to
process transactions and in
communications with health care
providers.
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
3449
• Health plans may communicate
NPIs to other health plans for
coordination of benefits.
• Health care clearinghouses may use
NPIs in their internal files to create and
process standard transactions and in
communications with health care
providers and health plans.
• NPIs may be used to identify health
care providers in patient medical
records.
• NPIs may be used to identify health
care providers that are health care card
issuers on health care identification
cards.
We encourage health care providers
that are not required to comply with
HIPAA regulations to use NPIs in the
ways listed above.
4. System of Records Notice
A System of Records Notice (HHS/
HCFA/OIS No. 09–70–0008) published
in the Federal Register on July 28, 1998
(63 FR 40297), listed the ways in which
data from the NPS that are protected by
the Privacy Act may be used. Few
comments were received on the System
of Records Notice.
We are including a summary of the
comments below:
Comment: One commenter believes
that the data collected to assign NPIs to
physicians should be kept to an absolute
minimum. Data that are not required for
enumeration or legitimate
administrative purposes should not be
collected. Data released beyond HHS
must be released in accordance with the
provisions of the Privacy Act, insofar as
that Act applies to the data in question,
and the Freedom of Information Act, as
appropriate. Data in addition to those
which are published in the Unique
Physician Identification Number (UPIN)
Directory should not be released. Most
of the data collected to enumerate an
individual should not be publicly
available. Another commenter was
concerned that removal of a health care
provider’s record from the NPS could
result in the re-issuance of that health
care provider’s NPI to another health
care provider. The NPI must remain
unequivocally unique and the NPS must
never re-issue a previously assigned
NPI. Removal of a health care provider’s
records at some point after the health
care provider’s death is reasonable, as
long as there are guarantees that the
health care provider’s NPI will never be
used by another health care provider or
re-issued to another health care
provider.
Response: In section II. C. 2. of this
preamble, ‘‘Data Elements and Data
Dissemination,’’ we describe the
information that we expect will be
collected and stored in the NPS. The
E:\FR\FM\23JAR2.SGM
23JAR2
�3450
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
requirements described in the
comments we received on the NPS
System of Records Notice will be met in
the design and operation of the NPS and
in the enumeration functions.
5. Summary of Effects on Various
Entities
Below is a summary of how the
implementation of the NPI will affect
health care providers, health plans, and
health care clearinghouses.
a. Health Care Providers
At this time, bulk enumeration of
health care providers is not expected to
occur. If, however, it is determined to be
feasible, we will populate the NPS with
data from Medicare provider files. If
bulk enumeration were to occur, the
affected health care providers would be
notified of their NPIs and would not
have to apply for them. Otherwise, in
order to be assigned NPIs, covered
health care providers must apply for
NPIs. (Health care providers that are not
covered entities are encouraged to apply
for NPIs.) After applying for NPIs,
health care providers will be assigned
and notified of their NPIs by the NPS.
Health care providers will submit a
paper application or, if feasible, will
have the option of applying for NPIs via
the Internet. The NPI application/
update form and information about
health care provider enumeration will
be available from the CMS Web site
(http://www.cms.hhs.gov).
Covered health care providers that
have been assigned NPIs must furnish
updates (changes) in their required NPS
data or that of their subparts to the NPS
within 30 days of the changes; they may
use the NPI application/update form for
this purpose. We recommend that
health care providers notify the health
plans in which they are enrolled of any
changes at the same time they notify the
NPS of these changes. (This
recommendation does not preclude
health plans from requiring notification
of updates within a shorter time frame.)
We encourage health care providers
who have been assigned NPIs but who
are not covered entities also to notify
the NPS of changes in their NPS data
within 30 days of the changes.
Covered health care providers must
use their NPIs to identify themselves
and their subparts, if appropriate, on all
standard transactions when their health
care provider identifiers are required.
We encourage all health care providers
and subparts that have been assigned
NPIs to do the same.
Covered health care providers must
disclose their NPIs and those of their
subparts to entities that need the NPIs
to identify those health care providers
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
in standard transactions. We encourage
all health care providers and subparts
that have been assigned NPIs to do the
same.
Covered health care providers must
require their business associates, if they
use them to conduct standard
transactions on their behalf, to use their
NPIs and the NPIs of other health care
providers and subparts appropriately as
required by those transactions.
Covered health care providers that are
organization health care providers with
subparts as described earlier in this
preamble must ensure that, when NPIs
are assigned to subparts, either the
covered health care provider or the
subpart (1) uses the NPIs of the subparts
on all standard transactions when their
health care provider identifiers are
required, (2) discloses their NPIs to
entities that need the NPIs to identify
those subpart(s) in standard
transactions, (3) communicates changes
in required data elements of the
subparts to the NPS, and (4) requires
business associates of the subparts, if
they use them to conduct standard
transactions on their behalf, to use their
NPIs and the NPIs of other health care
providers and subparts appropriately as
required by the transactions that the
business associates conduct on their
behalf.
b. Health Plans
Health plans must use the NPI of any
health care provider or subpart that has
been assigned an NPI to identify that
health care provider or subpart on all
standard transactions when the NPI is
required. All plans except small health
plans have 24 months from the effective
date of this final rule to implement the
NPI; small health plans have 36 months.
Health plans that need NPS data in
order to create standard transactions
will be able to obtain NPS data from the
NPS. (See section II. C. 2. of this
preamble, ‘‘Data Elements and Data
Dissemination.’’) Use of data from the
NPS in order to comply with HIPAA
requirements is a routine use as
published in the NPS System of Records
Notice.
HIPAA does not prohibit a health
plan from requiring its enrolled health
care providers to obtain NPIs if those
health care providers are eligible for
NPIs as discussed earlier in this
preamble.
c. Health care clearinghouses
Health care clearinghouses must use
the NPI of any health care provider or
subpart that has been assigned an NPI
to identify that health care provider or
subpart on all standard transactions
when the NPI is required. As with
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
health plans, health care clearinghouses
will be able to obtain NPS data from the
NPS.
C. Data
1. NPS Data Structures
Proposed Provisions (§ 142.402)
In section IV. B. of the preamble of the
May 7, 1998, proposed rule, ‘‘Practice
Addresses and Group/Organization
Options,’’ (63 FR 25336), we asked for
public comment on some of the data
structures that would be captured in the
NPS for each health care provider.
Comments and Responses on NPS Data
Structure Concepts
Below are the questions as posed in
the May 7, 1998, proposed rule followed
by a summary of the comments and our
responses:
a. Should the NPS Capture Practice
Addresses of Health Care Providers?
Comment:
Responding yes: Some commenters
stated that they need to capture the
multiple practice addresses of a health
care provider for their business
functions. They believe it would be best
to do this once in the health care
provider’s NPS record, rather than in
many local systems.
Responding no: A large majority of
commenters stated that the NPS should
not capture any practice addresses or
should capture only one physical
location address per NPI. Some of these
commenters believed that each location
where a health care provider practices
needs to be identified, but they believed
locations should receive separate
identifiers, rather than be captured as
multiple addresses in the health care
provider’s NPS record. Many other
commenters noted that health care
provider practice addresses change
frequently and that address information
will be burdensome and expensive to
maintain and will be unlikely to be
maintained accurately at the national
level. They believe that, if needed, it
should be collected and maintained in
local systems.
Response: The NPS will capture the
mailing address and one physical
location address for each health care
provider. Only one physical location
address will be associated with each
NPI. Practice addresses would be of
limited use in the electronic matching of
health care providers. The volatility of
practice address information would
make maintenance of the information
burdensome and expensive. Collecting
only one physical location address
minimizes the burden of data collection
and maintenance, while providing an
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
address where the health care provider
can be contacted in situations when a
mailing address is insufficient. For
example, a mailing address containing a
Post Office box number cannot be used
for mail delivery by other than the
United States Postal Service.
b. Should the NPS Assign a Location
Code to Each Practice Address in a
Health Care Provider’s Record?
Comment:
Responding yes: A small number of
commenters recommended that the NPS
assign location codes. Most of these
commenters were health plans that need
to identify all the practice addresses of
a health care provider. They want to use
location codes as pointers to these
addresses in a health care provider’s
NPS record.
Responding no: A large majority of
commenters stated that the NPS should
collect only one physical location
address of each health care provider and
should not assign location codes. If only
one physical location address is
collected, there is no need to assign
location codes to distinguish multiple
practice addresses. Respondents noted
several technical weaknesses of the
proposed location code. They stated that
the format of the location code would
allow for a lifetime maximum of 900
location codes per health care provider,
and this number may not be adequate
for health care providers with many
locations. The location code would not
uniquely identify an address; different
health care providers practicing at the
same address would have different
location codes for that address, resulting
in complexity, rather than
simplification, for business offices that
maintain data for large numbers of
health care providers.
Response: The combination of the NPI
assignment strategy described earlier in
this final rule and the data elements
contained in the standard claim and
equivalent encounter information
transaction eliminate the need for
location codes. The NPS will not
establish location codes.
c. Should the NPS Link the NPI of a
Organization Health Care Provider That
Is a Group Practice to the NPIs of the
Individual Health Care Providers Who
Are Members of the Group?
Comment:
Responding yes: Some commenters
responded that they need to be able to
associate organization health care
providers who are group practices with
the individual members of the group.
They believe this association can most
efficiently be maintained once in the
NPS, rather than in many local systems.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Responding no: A large majority of
commenters noted that health care
provider membership in groups changes
frequently and that this information will
be burdensome and expensive to
maintain and will be unlikely to be
maintained accurately at the national
level. Some health plans recognize
contractual arrangements that may not
correspond to groups. Commenters
believe that, if needed, membership in
groups should be collected and
maintained in local systems.
Response: We agree that the NPS
should not link the NPI of an
organization health care provider that is
a group practice to the NPIs of
individual health care providers who
are members of the group. The large
number of members of some groups and
the frequent moves of individuals
among groups would make national
maintenance of group membership
burdensome and expensive. Contractual
arrangements would be impractical to
maintain nationally and would most
likely differ from health plan to health
plan. Most organizations that need to
know group membership and
contractual arrangements prefer to
maintain this information locally, so
that they can ensure its accuracy for
their business purposes.
d. Should the NPS Collect the Same
Data for Organization and Group Health
Care Providers?
Comment:
Responding yes: A large majority of
commenters stated that a distinction
between organization and group health
care providers would be artificial and
would serve no purpose.
Responding no: Some commenters
stated that organization and group
health care providers should be
distinguished in the NPS. None of these
commenters suggested different data
that should be collected for a group
health care provider, as opposed to an
organization health care provider. We
believe that most of these comments
reflect a recommendation that group
health care providers receive NPIs
rather than a recommendation that
different data be collected for group
health care providers, as opposed to
organization health care providers.
Response: No commenter suggested
that different data be collected for a
group practice than for an organization
health care provider and a strong
majority of commenters stated that the
same data should be collected. We agree
that the NPS should collect the same
data for group and organization health
care providers. Groups will be
enumerated as organization health care
providers.
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
3451
Comments and Responses on NPS Data
Structure Alternatives
In the May 7, 1998, proposed rule, we
presented two alternatives for the
structure of health care provider data in
the NPS.
Under ‘‘Alternative 1,’’ the NPS
would capture multiple practice
addresses. It would assign a location
code for each practice address of an
individual or group health care
provider. Organization and group health
care provider records would have
different associated data in the NPS.
Group health care providers could have
individuals (such as physicians) listed
as members of the group, and the NPS
would link the NPIs of group health care
providers to the NPIs of the individuals
that make up the group. Under
‘‘Alternative 2,’’ the NPS would collect
the mailing address and one physical
location address for a health care
provider. It would not assign location
codes. It would not collect different data
for organization and group health care
providers. It would not link the NPI of
an organization to the NPIs of
individuals or any other health care
providers.
Comment: A majority of respondents
preferred Alternative 2.
Response: The comments on the four
preceding questions and on the two
alternatives indicated a strong
preference for Alternative 2. We agree
with commenters that Alternative 2 will
provide the data needed to identify the
health care provider at the national
level. We agree that the NPS record will
be based on the data described in
Alternative 2.
Final Provisions
In the ‘‘Final Provisions’’ portion of
section II. A. 2. of this preamble,
‘‘Definition of a Health Care Provider,’’
we describe the entities that will be
eligible to receive NPIs. The data
structures discussed below apply to
every entity that is assigned an NPI.
The mailing address and one practice
address (physical location) will be
collected by the NPS for each health
care provider. One physical location
address will be associated with each
NPI.
Because only one physical location
address will be collected per health care
provider, location codes will not be
necessary and, therefore, will not be
established by the NPS.
Group practices often have many
members, and individual health care
providers often move from group to
group. Maintenance of this information
on a national level would be difficult
and costly. Many health plans prefer to
E:\FR\FM\23JAR2.SGM
23JAR2
�3452
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
collect and maintain this information
themselves. Therefore, the NPS will not
link the NPI of a group to the NPIs of
individual health care providers who
are members of that group.
The NPS will collect the same data
from group health care providers as it
will collect from organization health
care providers.
Group practices will be considered
organization health care providers and
will be enumerated as organization
health care providers.
We will design the NPS along the
lines of Alternative 2 as presented in the
May 7, 1998, proposed rule.
2. Data Elements and Data
Dissemination
Proposed Provisions
In the preamble of the May 7, 1998,
proposed rule, in section IV, ‘‘Data,’’ we
listed the data elements that we
proposed to include in the NPS. We
solicited comments on the inclusion
and exclusion of those data elements
and the inclusion of other data elements
that the public believed appropriate. We
asked how the NPS could be designed
to make it useful, efficient, and lowcost.
In that same section, we also posed
data questions and discussed options for
NPS data structures. Section II.C.1. of
this preamble, ‘‘NPS Data Structures,’’
contains the comments and responses
and decisions made regarding NPS data
structures. As a result of those
decisions, some data elements that were
included in the list of proposed data
elements published in the May 7, 1998,
proposed rule will not, in fact, be
included in the NPS database.
Therefore, the information in section
II.C.1. of the preamble should be kept in
mind in reading this section.
In the preamble of the May 7, 1998,
proposed rule, in section V., ‘‘Data
Dissemination,’’ we proposed two levels
of dissemination of information from
the NPS:
• (1) Level I—To the entity(ies)
performing the enumeration functions.
The(se) entity(ies) would have direct
access to the NPS and to all the data
elements in the NPS; and
• (2) Level II—To the general public.
The general public would be able to
request and receive selected data
elements, excluding those that are
protected by the Privacy Act. (Requests
for Privacy Act-protected data and
Freedom of Information Act (FOIA)
requests would be handled in
accordance with existing HHS policies.)
The May 7, 1998, proposed rule
contained a table indicating the level of
dissemination of the NPS data elements.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
We proposed that we would charge fees
for data and data files, but that the fees
would not exceed the costs of
dissemination (63 FR 25338). We
solicited comments on the information
that should be available in paper and
electronic formats and the frequency
with which information should be made
available.
Comments and Responses on Data
Elements and Data Dissemination
Comment: An overwhelming number
of commenters said that the NPS should
contain only the data elements required
to communicate with and uniquely
identify and assign an NPI to a health
care provider. They believed this
information should be the kind that
could effectively be maintained at the
national level, leaving the more
complex and volatile data to health
plans to capture and maintain, as they
currently do. Many commenters listed
the specific data elements that they
recommended we remove from the list
presented in the May 7, 1998, proposed
rule. The majority of commenters
believe that, as a result of the removal
of the data elements not needed for
enumeration and communication, the
NPS would be easier and less expensive
to maintain and would operate more
efficiently.
Response: To be valuable, the NPS
must be accurate, up to date, and meet
its intended purpose in the most
feasible way. The NPS must collect
information sufficient to uniquely
identify a health care provider and
assign it an NPI and must collect
information sufficient to communicate
with a health care provider. The data
elements that we have retained are
necessary to uniquely identify and
communicate with a health care
provider. Our decision to reduce the
composition of the NPS to the data
elements needed for unique
identification and communication
removes many of the data elements that
were proposed to comprise the NPS in
the May 7, 1998, proposed rule. The
comments and responses that follow
contain additional information and
rationale concerning our decision to
include or exclude certain data
elements.
Comment: Some commenters said that
collecting but not validating
certification or school information
would make that information
meaningless. Most commenters did not
believe the NPS should collect
certification or school information in
the first place because it would not be
useful in uniquely identifying the
individual applying for an NPI. They
believe that collection and validation of
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
this information should continue to be
done by health plans in their health care
provider enrollment processes. Most
commenters supported the collection of
credential designation(s) (for example,
M.D., C.S.W., and R.N.), license
number(s), and State(s), which issued
the license(s) for individual health care
providers whose taxonomy
classifications require licenses.
Response: We agree with commenters
that it would be costly to collect,
validate, and maintain certification and
school information. We do not believe
the NPS should replicate unnecessarily
the work carried out by health plans.
We agree that health plans, which do
this work now, should appropriately
continue to do so. The NPS will capture
an individual health care provider’s
license number (if appropriate), the
State which issued the license (multiple
occurrences of both data elements), and
the credential designation(s). The
credential designation(s) (called
‘‘Provider’s credential designation’’ in
the May 7, 1998, proposed rule) will be
captured in the data element ‘‘Provider
credential text,’’ which will be a
repeating field. This data element was
renamed to make it compatible with
X12N HIPAA data dictionary naming
conventions and also to avoid giving the
impression that the NPS will be
validating the credentials. The license
number and State in which it was
issued will be useful to health plans in
matching NPS records to their health
care provider files. As a result of the
decision not to collect certification and
school information, the following data
elements will not be included in the
NPS:
• Provider certification code;
• Provider certification (certificate)
number;
• School code;
• School name;
• School city, State, country;
• School graduation year.
Comment: Commenters did not see
value in the NPS capturing ‘‘Provider’s
birth county name.’’ They believe the
State name and country (the latter
required if the health care provider was
not born in the United States) would be
sufficient for identification purposes.
Response: We agree. The ‘‘Provider’s
birth county name’’ data element will be
excluded from the NPS.
Comment: Some commenters
suggested that the ‘‘Taxpayer Identifying
Number’’ (TIN) be added to the NPS.
They believed this was needed to match
NPS records to health plans’ health care
provider files and that it could help in
unique identification.
Response: We agree that the numbers
used to report income taxes will be
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
useful in uniquely identifying health
care providers.
According to the Internal Revenue
Service (IRS), three numbers (known as
‘‘Taxpayer Identifying Numbers,’’ or
TINs) may be used (depending on
circumstances) to report income taxes:
(1) The Social Security Number (SSN),
assigned by the Social Security
Administration to individuals; (2) the
IRS Individual Taxpayer Identification
Number (ITIN), assigned by the IRS to
individuals who are not eligible to
receive Social Security Numbers; and
(3) the Employer Identification Number
(EIN), assigned by the IRS to
organization health care providers (that
is, health care providers that would not
be assigned ‘‘Entity type code’’ 1 NPIs).
For purposes of being assigned NPIs,
health care providers will be asked
voluntarily to supply their SSN or IRS
ITIN (if they are individuals who would
be assigned an ‘‘Entity type code’’ 1
NPI), or will be required to supply their
EIN (if they are organizations that would
be assigned ‘‘Entity type code’’ 2 NPIs).
Requesting the SSN from individual
health care providers will dictate that
we include on the NPI application/
update form appropriate disclosure and
Privacy Act statements.
Comment: Some commenters
suggested that Medicare and Medicaid
sanction information be added to the
NPS. One commenter wanted to know
where sanction data would be housed
and who would maintain these data.
Response: The NPS will not contain
sanction data or indicators that sanction
data exist. Sanction data were not
included in the data element list
published in the May 7, 1998, proposed
rule. While maintainers of sanction
databases may incorporate the NPI into
their databases to enable searches by
NPI, the NPS will not house sanction
information. The Web address for the
Office of Inspector General sanctioned
health care providers file is http://
exclusions.oig.hhs.gov/.
Comment: Some commenters said that
‘‘License revoked indicator’’ and
‘‘License revoked date’’ should be
included in the NPS.
Response: The NPS will not capture
this or similar information. The
uniqueness of the health care provider
can be established without this
information. This information would
more appropriately be collected by
health plans.
Comment: A number of data elements
were suggested to be added to the NPS.
These included ‘‘Owner of the
provider,’’ ‘‘Practice type control code’’
(office-based, hospital-based, Federal
facility practice, and other), ‘‘Source of
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
information for certification,’’ ‘‘Provider
type,’’ and ‘‘Provider specialty code.’’
Response: The May 7, 1998, proposed
rule did not propose that the NPS
collect health care provider ownership
information. This information is volatile
and already resides on most health
plans’ health care provider enrollment
files. Practice type control information
is not required to uniquely identify or
classify a health care provider for NPS
purposes; therefore, it will not be
included in the NPS. ‘‘Source of
information for certification’’ will not be
captured because, as explained earlier
in this section, certification information
will not be collected by the NPS. The
definitions of ‘‘Provider type’’ and
‘‘Provider specialty code’’ may differ
from one health plan to another; the
NPS will capture the type(s),
classification(s), and area(s) of
specialization as described in the
Healthcare Provider Taxonomy Code
set. By capturing this information, we
take into account the specialty
classifications as required by HIPAA.
The taxonomy can be viewed at this
Web site: http://www.wpc-edi.com/
taxonomy/.
Comment: A commenter suggested
that a health care provider’s ‘‘pay-to
address’’ be added to the NPS. Another
commenter stated that health plans will
use the health care provider’s mailing
address as the pay-to address. Another
commenter suggested that HHS consider
electronic data interchange (EDI)
addresses for inclusion in the NPS.
Response: In most situations, a health
care provider’s ‘‘pay-to address’’ is its
mailing address. Therefore, we do not
believe it is necessary to add a ‘‘pay-to
address’’ to the NPS. Because EDI
addresses are not standardized at this
time, they will not be included in the
NPS. The composition of the NPS will
be revised if necessary in the future.
Comment: Several commenters
suggested adding the name of the
establishing enumerator or agent and
the name and telephone number of the
enumerator who made the last update to
the NPS. They believe that this
information would help ensure the
accuracy of the database by preventing
multiple enumerators from updating or
attempting to update the same records.
Response: As discussed in section II.
B. 2. of this preamble, ‘‘Health Care
Provider Enumeration,’’ there will be
one entity, under HHS direction, that
will be charged with enumeration
functions. The decision to use a single
enumerator renders the data elements
proposed by these commenters
unnecessary. The ‘‘Establishing
enumerator/agent number’’ will not be
included in the NPS.
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
3453
Comment: One commenter suggested
we add ‘‘Provider status’’ and ‘‘Date of
deactivation’’ to the NPS.
Response: In section II. A. 2. of this
preamble, ‘‘Definition of Health Care
Provider,’’ we describe the reasons why
an NPI may be deactivated. We have
added to the NPS two new data
elements: ‘‘National Provider Identifier
deactivation reason code’’ and
‘‘National Provider Identifier
deactivation date.’’ These data elements
will capture the information suggested
by this commenter. (It should be noted
that ‘‘Provider’s date of death’’ will be
excluded as a data element from the
NPS. Fact of death and resulting
deactivation date will be captured in the
two new data elements.) We have also
added a data element called ‘‘National
Provider Identifier reactivation date,’’
which will capture the date that a health
care provider’s NPI is reactivated.
Comment: Several commenters
suggested adding ‘‘Cross reference to
replacement NPI.’’ They thought it
would be important to link former and
current NPIs.
Response: In section II. A. 2. of this
preamble, ‘‘Definition of Health Care
Provider,’’ we explain that an NPI is
designed to last indefinitely. There may,
however, be an unusual circumstance
that would justify a health care
provider’s request to be issued a new,
different NPI. In these situations, the
NPS will link the new, or replacement,
NPI to the previous NPI(s) of that same
health care provider. (By ‘‘same health
care provider,’’ we mean an entity with
exactly the same data elements, or string
of NPS data.) We will add two new data
elements to the NPS: ‘‘Replacement
NPI’’ and ‘‘Previous NPI.’’ Both will be
repeating fields (see ‘‘Data Status’’
preceding the National Provider System
Data Elements and Data Dissemination
table). When a user retrieves the NPS
record of a health care provider, either
of those fields may contain data. (If
neither field contains data, the health
care provider has had only one—its
original—NPI.) The user can then
retrieve the related NPS record by
requesting the record of the NPI
appearing in the ‘‘Replacement NPI’’ or
the ‘‘Previous NPI’’ field, whichever is
appropriate.
Comment: One commenter suggested
that ‘‘Effective from’’ and ‘‘Effective
through’’ dates be added for telephone
numbers and addresses.
Response: We expect that the NPS
will be designed to associate dates with
the information about a health care
provider, thus creating a history of a
health care provider’s record. When
changes are made to a health care
provider’s telephone number or address,
E:\FR\FM\23JAR2.SGM
23JAR2
�3454
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
that health care provider’s record will
include the dates of those changes.
‘‘Effective from’’ and ‘‘Effective
through’’ dates for telephone numbers
and addresses may not hold true; there
could be unexpected situations that
could cause changes to occur sooner or
later than reported. We believe it will be
more accurate to include a date to
reflect each time a change is made in
this information.
Comment: A commenter suggested
that the On-line Survey Certification
and Reporting System (OSCAR) number
be maintained after the initial load of
Medicare providers, and that the NPS
include a ‘‘Facility type’’ indicator for
OSCAR providers.
Response: As explained earlier in
section II. B. 2. of this preamble,
‘‘Health Care Provider Enumeration,’’
we are evaluating the feasibility of
populating the NPS with existing
Medicare provider files. If this is done,
the OSCAR number, which is a
Medicare-assigned number, will be
captured in the NPS automatically.
Whether or not we populate the NPS
with Medicare files, the NPI
application/update form will collect
health care provider identification
numbers that are assigned by certain
health plans (including Medicare) and
other organizations. Health care
providers that apply for NPIs will be
able to furnish these numbers (‘‘Other
provider identifier’’) and to indicate the
type of number being furnished (for
example, OSCAR, UPIN, DEA, and
Medicaid) (‘‘Other provider identifier
type code’’), on the NPI application/
update form. These will be optional and
repeating NPS data elements. The NPS
will capture as many ‘‘Other provider
identifier’’ entries and the
corresponding ‘‘Other provider
identifier type code’’ entries as are
reported on the NPI application/update
form. The NPS will apply changes or
updates to the ‘‘Other provider
identifier’’ or ‘‘Other provider identifier
type code’’ when health care providers
notify the NPS of changes to this
information.
The NPS will not require a ‘‘Facility
type’’ indicator for health care providers
with OSCAR numbers. It will collect the
Healthcare Provider Taxonomy Code on
the NPI application/update form.
Comment: Several commenters
suggested the NPS retain the health care
provider mailing and health care
provider practice (provider location)
phone number, facsimile number, and
electronic mail address only during the
initial assignment of NPIs, and then
discontinue maintenance of this
information.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Response: These data elements are
needed for communication with the
health care provider. HHS may need to
communicate with a health care
provider at any time during the
implementation period or after.
Therefore, these data elements will be
maintained beyond the initial
assignment of NPIs. In section II. A. 5.
of this preamble, ‘‘Implementation
specifications for Health Care Providers,
Health Plans, and Health Care
Clearinghouses,’’ we are requiring
health care providers who are covered
entities to update their required NPS
data, which includes the data elements
noted in the comment above, whenever
changes occur.
Comment: Many commenters
suggested that several data elements be
repeated; for example: ‘‘Provider’s other
name’’ and ‘‘Provider’s other name
type’’; ‘‘Other provider number’’ and
‘‘Other provider number type’’;
‘‘Provider license number’’ and
‘‘Provider license State’’; ‘‘Provider
classification’’; the data elements
associated with schools; and the data
elements associated with credentials.
Response: The data element table
appearing in the May 7, 1998, proposed
rule did not indicate repeating fields. In
the National Provider System Data
Elements table at the end of this section,
repeating fields are noted as such. The
NPS will contain as many repeating
fields as there is information for
‘‘Provider other last or other
organization name’’ and ‘‘Provider other
last or other organization name type
code.’’ As mentioned earlier, the NPS
will also be able to accommodate
multiples of other health care provider
numbers in the data element ‘‘Other
provider identifier’’ and types of other
health care provider numbers in the
data element ‘‘Other provider identifier
type code.’’ The NPS will accommodate
multiple entries for ‘‘Provider license
number’’ and ‘‘Provider license State.’’
As explained earlier, the school
information will be excluded from the
NPS. ‘‘Provider credential text’’ (for
example, M.D. and D.D.S.) will be a
repeating field. These repeating fields
are either optional or situational and
will not be validated.
Comment: Many commenters asked
that ‘‘Provider’s race’’ be removed from
the NPS. They did not believe it would
be accurately reported. They stated that
there are inconsistent definitions for
‘‘race’’; they did not understand the
purpose for collecting this information.
Response: We understand and
appreciate the comments stating that the
NPS should be capturing only what is
needed for unique identification of and
communication with a health care
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
provider. While collection of race and
ethnicity data could support a number
of important research activities, this
information is not needed to uniquely
identify a health care provider; thus, we
have concluded that the NPS is not the
appropriate vehicle for collecting this
information. Therefore, we will not
collect these data elements even on an
optional basis.
Comment: Several commenters
suggested that a number of other data
elements be excluded from the NPS: all
user-requested data elements (these
were denoted by a ‘‘U’’ in the data
element list in the May 7, 1998,
proposed rule), ‘‘Other provider
number,’’ ‘‘Other provider number
type,’’ ‘‘Organization type control
code,’’ ‘‘Provider certification code,’’
‘‘Provider certification (certificate)
number,’’ ‘‘Provider license number,’’
‘‘Provider license State,’’ ‘‘School code,’’
‘‘School name,’’ ‘‘School city, State,
country,’’ ‘‘School graduation year,’’
‘‘Provider classification,’’ ‘‘Date of
birth,’’ all electronic mail addresses and
fax numbers, ‘‘Date of death,’’ ‘‘Provider
sex,’’ and ‘‘Resident/Intern code.’’
Response: We stated in the previous
response that ‘‘Provider race code’’
(which was a user-requested data
element in the list included in the May
7, 1998, proposed rule) will not be
retained. We discussed all other data
elements presented as user-requested
data elements in the list in the May 7,
1998, proposed rule in previous
comments and responses except for
‘‘Organization type control code’’ and
‘‘Resident/Intern code.’’ These two latter
data elements will be excluded; they are
not needed for the unique identification
of or communication with a health care
provider.
Comment: Several commenters
questioned the use of ‘‘optional’’ data
elements, believing that ‘‘optional’’
information will rarely be furnished
and, if it is furnished, may not be
reliable and probably would not be kept
current.
Response: Certain information about
health care providers that is desirable to
uniquely identify them in order to
assign NPIs cannot be required to be
furnished. ‘‘Situational’’ data elements
should not be confused with ‘‘optional’’
data elements. ‘‘Situational’’ data
elements are required if a certain
situation, or condition, exists.
‘‘Optional’’ data elements do not have to
be supplied at all. For example,
‘‘Provider other last or other
organization name’’ is optional. A
health care provider may choose not to
report a former name or a professional
name. We have attempted to make as
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
few data elements as possible
‘‘optional’’ in the NPS.
Comment: Several commenters
suggested that data element names,
qualifiers, and definitions be consistent
with the X12N HIPAA data dictionary.
Response: The NPS data element
names, qualifiers, and definitions,
wherever possible, are mappable to
those in the X12N HIPAA data
dictionary and are compatible with
X12N naming conventions. We believe
the mapping capability and naming
convention compatibility are essentially
what the commenters wanted and
believe we have satisfied their concerns.
Comment: Two commenters suggested
that the Drug Enforcement
Administration (DEA) number be
collected from health care providers that
have one.
Response: The DEA number is an
example of an ‘‘Other provider
identifier.’’ The DEA number can be
accommodated in this field in the NPS.
We recognize that mapping between
DEA numbers and NPIs is very
important for the conversion of retail
pharmacy files during NPI
implementation. Therefore, we will
collect the DEA number in the ‘‘Other
provider identifier’’ field if it is reported
on the NPI application/update form and
will carry the fact that it is a DEA
number by setting the ‘‘Other provider
identifier type code’’ to indicate that.
Comment: Several commenters
suggested that we publish a data model
and record layout or both describing in
detail the data elements, field lengths,
format, repeating fields, and required
and situational fields.
Response: The data element table in
this preamble includes an indication of
‘‘required,’’ ‘‘optional,’’ or ‘‘situational’’
for each data element, and repeating
data elements are noted as such. More
detailed information, as requested in the
comment, will be posted to the CMS
Web site (http://www.cms.hhs.gov)
when it becomes available during the
NPS design.
Comment: Several commenters said
an audit trail of NPI updates is needed
for qualified users. This would indicate
which enumerator updated which
fields.
Response: The NPS will construct an
audit trail. We expect that the audit trail
would include the date a change was
made, the old value, the new value, and
the initiator of the change. As stated in
section II. B. 2. of this preamble,
‘‘Health Care Provider Enumeration,’’
there will not be multiple enumerators.
The NPS will contain a date (‘‘Last
update date’’) that will indicate when a
change was made to a health care
provider’s record. Extracts containing
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
NPS changes will be made available in
HHS-determined format and media to
satisfy requests from approved users
(see later discussion in this section of
the data dissemination strategy).
Comment: Several Medicaid State
agencies suggested that the Healthcare
Provider Taxonomy Code set contain all
health care provider types and
specialties needed by Medicaid plans.
Another commenter asked that the code
set reflect services provided by
pharmacists. Another stated that the
code set did not contain a category for
pain medicine. Several other
commenters said the taxonomy code set
is inconsistent.
Response: Until recently, this code set
was maintained through an open
process by the National Healthcare
Provider Taxonomy Committee for use
in Accredited Standards Committee
X12N standard transactions. It is now
maintained through an open process by
the National Uniform Claim Committee.
The Web site at which the code set is
available is http://www.wpc-edi.com/
taxonomy/. The web site contains
information on how changes to the code
set can be requested. (Note: Pharmacy
service providers and physicians whose
specialization is ‘‘Pain Medicine’’ are
included in the code set.) Comment:
Several commenters suggested that the
NPS contain a feature whereby the
Healthcare Provider Taxonomy Code set
classifications will be available for
selection when applying for an NPI.
Response: We will consider this
comment in the design of the NPI
application/update form.
Comment: Many commenters
supported the creation of an industrywide forum to determine the data
element content, identify the mandatory
and optional data elements, and
determine the data dissemination
requirements of the NPS. They
recommended that WEDI foster such a
group.
Response: WEDI is named in the Act
as an external group with which the
Secretary must consult in certain
circumstances in standards
development. To address these issues,
WEDI formed several workgroups,
which consisted of representatives from
every aspect of the health care industry.
Following the workgroups’ meetings,
WEDI supplied HHS with comments on
NPS data, data dissemination, and other
issues, supplementing the comments
WEDI provided to HHS during the
public comment period. We have
considered these comments in
developing this final rule.
Comment: Most commenters did not
favor the two-level data dissemination
approach presented in the May 7, 1998,
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
3455
proposed rule but favored instead a
three-level approach:
• Commenters agreed that only the
entity performing the enumeration
functions and HHS should have access
to the entire NPS.
• Commenters did not want Privacy
Act restrictions violated but believe that
our approach denied health plans and
certain other health care industry
entities information that they needed in
order to process HIPAA transactions,
while it gave the general public an
excessive—and unnecessary—amount of
information. They said that health plans
and other health care industry entities
required certain Privacy Act-protected
data in order to accurately match their
health care provider files with NPS data
to effectively implement HIPAA
requirements. Many suggested that
health plans and health care
clearinghouses be permitted to obtain
copies of the database and periodic
update files so that they can maintain
files that are continually consistent with
the NPS. Some commenters suggested
an on-line query and response system be
developed for health plans to verify a
health care provider’s NPI. Others
wanted electronic transactions designed
that could be sent to the NPS with a
response returned. These transactions
might request all available data, regional
data, new records only, and updated
records only. Some commenters
suggested that health plans have batch
and interactive access capabilities to the
NPS, stating that health plans will
require daily batch updates of new and
changed records, particularly during the
implementation period. Some suggested
that changed records be available for
electronic download daily and weekly,
and monthly by CD ROM and diskette.
Still others preferred that health care
entities receive data through the Internet
with secure identifiers.
• One commenter stated the NPS data
should be used strictly for enumeration
and that no NPS data should be made
available to the public. This commenter
recommended that the public and others
obtain NPIs from the health care
providers themselves, not from the NPS.
Some commenters believe it
inappropriate for the general public to
look to the NPS as the source of any but
the most general types of information
about health care providers. Some
commenters expressed concern that
public release of too much information
(particularly, full addresses) could
subject health care providers to receipt
of junk mail and other unsolicited
materials.
• Commenters recommended that
agreements be signed by anyone
receiving NPS data to ensure the
E:\FR\FM\23JAR2.SGM
23JAR2
�3456
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
information released would not be used
for marketing or mailing list generation
or sold or transferred to another entity.
• Several commenters stated that
personally identifiable data about health
care providers, contained in the NPS,
should be available to researchers for
clinical and financial outcomes analyses
after appropriate agreements are signed.
• One commenter suggested readonly access to the NPS data for all users.
• Several commenters stated that the
data dissemination policy should be
consistent with the routine uses of NPS
data as published in the NPS System of
Records Notice (63 FR 40297).
• The three dissemination levels
suggested by commenters were:
• Level 1—Available to HHS and the
entity with which HHS contracts to
perform the enumeration functions.
• Level 2—Available to health plans
and certain other health care industry
entities that require certain Privacy-Act
protected data to match their health care
provider files to NPS data.
• Level 3—Available to the general
public.
Response: In order to keep costs low,
we must make the NPS data
dissemination strategy as efficient and
uncomplicated as possible. The number
of formats and access options will need
to be limited.
We view the NPS as a health care
provider identification and enumeration
system, capturing the information
required to perform those functions and
disseminating information needed by
health plans and other entities to
effectively carry out the provisions of
HIPAA. We agree with the majority of
commenters who stated that health
plans and certain other health care
industry entities require NPS data,
including some data that are protected
by the Privacy Act, in order to
effectively conduct HIPAA transactions.
(Privacy Act-protected data are those
that reveal or could reveal the identity
of a specific individual when used alone
or in combination with or linked to one
or more data elements.)
Comment: Some commenters
suggested that a health care provider be
able to access its own NPS data through
the Internet to ensure its accuracy and
to facilitate updating the information.
Response: This comment will be
considered in the design of the NPS; if
it is determined to be feasible, this
access will be made available.
Comment: Several commenters
supported charging reasonable fees or
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
subscription rates for web-based data
access options; for example, HHS could
charge an annual subscription fee for
unlimited downloads and a different
subscription fee for monthly downloads.
Some commenters asked if on-line
access charges would be based on time
or on a per file access basis.
Some commenters believed that usage
fees should not be limited to the cost of
producing the data but should be linked
to the costs and value of establishing
and using the NPS.
Many commenters stated that the
enumerator(s) should not have to pay
for NPS data.
One commenter, who had suggested
the enumerator be a public and private
sector trust, suggested that
dissemination fees be established and
administered by the public and private
sector trust.
Response: The design of the NPS will
facilitate making information available
in an efficient manner, which will
involve the use of the Internet. We are
reviewing the issue of charging fees, and
intend to consider charging fees to the
extent our authority permits.
Final Provisions (§ 162.408(b) and (f))
The NPS Data Elements Table lists the
data elements that we expect to collect
about a health care provider and which
will be included in the National
Provider System (NPS). The data
element table is not intended to be used
for data design purposes. During NPS
design and development, the names and
attributes of the data elements may be
revised. We are including this listing to
show readers the kind of information
that we expect will be collected about
health care providers or that will be
NPS-generated (for example, the NPI)
about health care providers. The table
does not include systems maintenance
or similar fields.
Description of the information
contained in each column of this table:
Data Element Name: The name of the
data element residing in the NPS.
Description: The definition of the data
element and related information.
Data Status: The instruction for
furnishing the information being
requested in the data element. The
abbreviations used in this column are as
follows:
Required (R): Required for NPI
assignment. NPS-generated (NG):
Generated or assigned by the NPS.
Optional (O): Not required for NPI
assignment. Situational (S): If a certain
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
condition exists, the data element is
required. Otherwise, it is not required.
Repeat (RPT): Indicates that the data
element is a repeating field. A repeating
field is one that can accommodate more
than one separate entry. Each separate
entry must meet the edits, if any,
designated for that data element.
Data Condition: Describes the
condition(s) under which a
‘‘Situational’’ data element must be
furnished. NOTE: The abbreviation NA
means ‘‘not applicable.’’
Entity Types: The ‘‘Entity type codes’’
to which the data element applies. See
the description of the data element
‘‘Entity type code’’ in the table.
Use: The purpose for which the
information is being collected or will be
used.
I: The data element supports the
unique identification of a health care
provider.
A: The data element supports
administrative implementation
specifications.
Dissemination of data from the NPS is
a complex process. It must be
responsive to requests from covered
entities for NPS information that they
need in order to comply with HIPAA.
We expect a high volume of such
requests, primarily from health plans,
once NPIs begin to be assigned. At the
same time, the dissemination process
must ensure compliance with the
provisions of the Privacy Act, the
Freedom of Information Act, the
Electronic FOIA Amendments of 1996,
and other applicable regulations and
authorities, and must be consistent with
the NPS System of Records Notice,
which was published on July 28, 1998.
We expect to make routinely
available, via the Internet and on paper,
HHS-formatted data sets that will
contain general identifying information,
including the NPI, of enumerated
organization health care providers and
subparts of such health care providers
(as described earlier in this preamble).
Because of complexities that are
inherent in disseminating data from the
NPS, it is necessary to eliminate from
the NPS Data Elements Table the
column that, in the proposed rule,
indicated the data dissemination level.
Our data dissemination strategy and the
process by which it will be carried out
will be described in detail at a later date
and published in a notice in the Federal
Register.
E:\FR\FM\23JAR2.SGM
23JAR2
�3457
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
NPS DATA ELEMENTS
Data element name
National Provider Indentifier (NPI)
Entity type code (type of health
care provider assigned an NPI).
Replacement
Identifier.
National
Provider
Previous National Provider Identifier.
Provider Social Security Number
(SSN).
Provider IRS Individual Taxpayer
Identification Number (IRS ITIN).
Provider Employer
Number (EIN).
Identification
Provider last name or organization
name.
Provider first name .........................
Provider middle name ....................
Provider other last or other organization name.
Provider other last or other organization name type code.
Provider other first name ...............
Provider other middle name ...........
Provider name prefix text ...............
VerDate jul<14>2003
18:17 Jan 22, 2004
Data
status
Description
10-position all-numeric identification number assigned by the NPS to uniquely
identify a health care provider.
Code describing the type of health care
provider that is being assigned an NPI.
Codes are 1 = (Person): individual
human being who furnishes health care;
2 = (Non-person): entity other than an individual human being that furnishes
health care (for example, hospital, SNF,
hospital subunit, pharmacy, or HMO).
The most recent NPI issued by the NPS to
this provider. Issuance of a Replacement
NPI by the NPS would be an unusual circumstance in which the provider requested a new, different NPI for a valid
reason. Issuance of a Replacement NPI
is different from NPI deactivation and NPI
reactivation.
The NPI that had previously been issued to
this provider.
The SSN assigned by the Social Security
Administration (SSA) to the individual
being identified.
The taxpayer identifying number assigned
by the IRS (to individuals who are not eligible to be assigned SSNs) to the individual being identified.
The Employer Identification Number (EIN),
assigned by the IRS, of the provider
being identified.
The last name of the provider (if an individual) or the name of the organization
provider. If the provider is an individual,
this is the legal name. If the provider is
an organization, this is the legal business
name.
The first name of the provider, if the provider is an individual.
The middle name of the provider, if the provider is an individual.
Data condition
(situational status only)
Entity
types
NG
NA ..................................................
1, 2 .....
I
R
NA ..................................................
1, 2 .....
A
NG
S
RPT
Required if provider has been
issued a replacement NPI.
1, 2 .....
I
NG
S
RPT
O
Required if provider previously had
been issued a different NPI.
1, 2 .....
I
NA ..................................................
1 .........
I
O
NA ..................................................
1 .........
I
S
Required if the provider has an
EIN.
2 .........
I
R
NA ..................................................
1, 2 .....
I
S
Required if the provider’s NPI is
Entity type code = 1.
Required if the provider’s NPI is
Entity type code = 1 and the
provider has a middle name.
NA ..................................................
1 .........
I
1 .........
I
1, 2 .....
I
Required if ‘‘Provider other last or
other organization name’’ contains data. Codes 1–2 apply to
individuals; codes 3–4 apply to
organizations; code 5 applies to
both.
Required if ‘‘Provider other last or
organization name’’ contains
data and the provider’s NPI is
Entity type code = 1.
1, 2 .....
I
1 .........
I
S
RPT
Required if ‘‘Provider other last or
organization name’’ contains
data, the provider NPI is Entity
type code = 1, and the provider
has a middle name.
1 .........
I
O
NA ..................................................
1 .........
I
S
Other last name by which the provider
being identified is or has been known (if
an individual) or other name by which the
organization provider is or has been
known.
Code identifying the type of other name.
Codes are: 1 = former name; 2 = professional name; 3 = doing business as (d/b/
a) name; 4 = former legal business
name; 5 = other.
O
RPT
Other first name by which the provider
being identified is or has been known (if
an individual). This may be the same as
the ‘‘Provider first name’’ if the provider is
or has been known by a different last
name only.
Other middle name by which the provider
being identified is or has been known (if
an individual). This may be the same as
the ‘‘Provider middle name’’ if the provider is or has been known by a different
last name only.
The name prefix or salutation of the provider if the provider is an individual; for
example, Mr., Mrs., or Corporal.
S
RPT
Jkt 203001
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
S
RPT
E:\FR\FM\23JAR2.SGM
23JAR2
Use
�3458
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
NPS DATA ELEMENTS—Continued
Data
status
Data condition
(situational status only)
Entity
types
O
NA ..................................................
1 .........
I
O
NA ..................................................
1 .........
I
R
NA ..................................................
1, 2 .....
A
S
Required if it exists ........................
1, 2 .....
A
S
Required if the address has no
State code but contains a State
or Province name.
1, 2 .....
A
S
Required if the address is inside
the United States or has an associated postal code.
1, 2 .....
A
S
Required if address is outside the
United States.
1, 2 .....
A
S
Required if provider mailing address has a telephone.
1, 2 .....
A
O
NA ..................................................
1, 2 .....
A
R
NA ..................................................
1, 2 .....
A
S
Required if it exists ........................
1, 2 .....
A
R
NA ..................................................
1, 2 .....
A
S
Required if address is inside the
United States or has an associated State code.
Required if the address has no
State code but contains a State
or Province name.
Required if the address is inside
the United States or has an associated postal code.
1, 2 .....
A
1, 2 .....
A
1, 2 .....
A
Required if address is outside the
United States.
1, 2 .....
A
Data element name
Description
Provider name suffix text ...............
Provider location address city
name.
Provider location address State
code.
The name suffix of the provider if the provider is an individual. The name suffix is
a ‘‘generation-related’’ suffix, such as Jr.,
Sr., II, III, IV, or V.
The abbreviations for professional degrees
or credentials used or held by the provider, if the provider is an individual. Examples are MD, DDS, CSW, CNA, AA,
NP, RNA, or PSY. These credential designations will not be verified by NPS.
The first line mailing address of the provider being identified. This data element
may contain the same information as
‘‘Provider first line location address’’.
The second line mailing address of the provider being identified. This data element
may contain the same information as
‘‘Provider second line location address’’.
The State or Province name in the mailing
address of the provider being identified.
This data element may contain the same
information as ‘‘Provider location address
State name’’.
The postal ZIP or zone code in the mailing
address of the provider being identified.
NOTE: ZIP code plus 4-digit extension, if
available. This data element may contain
the same information as ‘‘Provider location address postal code’’.
The country code in the mailing address of
the provider being identified. This data
element may contain the same information as ‘‘Provider location address country code’’.
The telephone number associated with
mailing address of the provider being
identified. This data element may contain
the same information as ‘‘Provider location address telephone number’’.
The fax number associated with the mailing
address of the provider being identified.
This data element may contain the same
information as ‘‘Provider location address
fax number’’.
The first line location address of the provider being identified. For providers with
more than one physical location, this is
the primary location. This address cannot
include a Post Office box.
The second line location address of the
provider being identified. For providers
with more than one physical location, this
is the primary location. This address cannot include a Post Office box.
The city name in the location address of
the provider being identified.
The State code in the location of the provider being identified.
Provider location address State
name.
The State or Province name in the location
address of the provider being identified.
S
Provider location address postal
code.
The postal ZIP or zone code in the location
address of the provider being identified.
NOTE: ZIP code plus 4-digit extension, if
available.
The country code in the location address of
the provider being identified.
S
Provider credential text ..................
Provider first line mailing address ..
Provider second line mailing address.
Provider mailing
name.
address
State
Provider mailing address postal
code.
Provider mailing address country
code.
Provider mailing address telephone
number.
Provider mailing address fax number.
Provider first line location address
Provider second line location address.
Provider location address country
code.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
S
E:\FR\FM\23JAR2.SGM
23JAR2
Use
�3459
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
NPS DATA ELEMENTS—Continued
Data element name
Provider location
phone number.
address
Data
status
Description
tele-
Data condition
(situational status only)
Entity
types
R
NA ..................................................
1, 2 .....
A
O
NA ..................................................
1, 2 .....
A
R
RPT
NA ..................................................
1, 2 .....
I
O
RPT
NA ..................................................
1, 2 .....
I
O
RPT
NA ..................................................
1, 2 .....
I
NG
NA ..................................................
1, 2 .....
A
NG
NA ..................................................
1, 2 .....
A
S
Required if NPI has been deactivated.
1, 2 .....
A
S
Required if ‘‘NPI deactivation
code’’ contains data.
NA ..................................................
1, 2 .....
A
1, 2 .....
A
Required if the provider’s NPI is
Entity type code = 1.
Required if born in United States ..
1 .........
I
1 .........
I
1 .........
I
1 .........
I
S
RPT
Required if country is other than
United States.
Required if the provider’s NPI is
Entity type code = 1.
Required for certain ‘‘Provider taxonomy codes.’’.
1, 2 .....
I
S
RPT
Required if ‘‘Provider license number’’ contains data.
1, 2 .....
I
R
........................................................
2 .........
I
R
S
2 .........
2 .........
I
I
2 .........
I
2 .........
I
1, 2 .....
I
Authorized official first name ..........
Authorized official middle name .....
The telephone number associated with the
location address of the provider being
identified.
The fax number associated with the location address of the provider being identified.
Code designating the provider type, classification, and specialization. Codes are
from the Healthcare Provider Taxonomy
code list. The NPS will associate these
data with the license data for providers
with Entity type code = 1.
Additional number currently or formerly
used as an identifier for the provider
being identified. This data element will be
captured from the NPI application/update
form.
Code indicating the type of identifier currently or formerly used by the provider
being identified. The codes may reflect
UPIN, NSC, OSCAR, DEA, Medicaid
State or PIN identification numbers. This
data element will be captured from the
NPI application/update form.
The date the provider was assigned a
unique identifier (assigned an NPI).
The date that a record was last updated or
changed.
The reason that the provider’s NPI was deactivated in the NPS. Codes are: 1 =
death of entity type ‘‘1’’ provider; 2 = entity type ‘‘2’’ provider disbandment; 3 =
fraud. 4 = other (for example, retirement).
The date that the provider’s NPI was deactivated in the NPS.
The date that the provider’s NPI was reactivated in the NPS.
The date of birth of the individual being
identified.
The code representing the State in which
the individual being identified was born.
X12N code lists and names will be used
for this element.
The code representing the country in which
the individual being identified was born.
The code designating the provider’s gender
if the provider is a person.
The license number issued to the provider
being identified. The NPS can accommodate multiple license numbers for multiple
specialties and for multiple States. The
NPS will associate this data element with
‘‘provider taxonomy code’’.
The code representing the State that
issued the license to the provider being
identified. This field can accommodate
multiple States. It is associated with
‘‘provider license number.
The last name of the person authorized to
submit the NPI application or to change
NPS data for a health care provider.
The first name of the authorized official ......
The middle name of the authorized official
Authorized official title or position ..
The title or position of the authorized official
S
Authorized official telephone number.
Contact person last name ..............
The 10-position telephone number of the
authorized official.
The last name of the person to be contacted if there are questions about the
NPI application or changes in NPS data.
R
........................................................
Required if the authorized official
has a middle name.
Required if the authorized official
has a title or position.
........................................................
R
........................................................
Provider location address fax number.
Provider taxonomy code ................
Other provider identifier .................
Other provider identifier type code
Provider enumeration date .............
Last update date ............................
NPI deactivation reason code ........
NPI deactivation date .....................
NPI reactivation date ......................
Provider birth date ..........................
Provider birth State code ...............
Provider birth country code ............
Provider gender code .....................
Provider license number ................
Provider
code.
license
number
State
Authorized official last name ..........
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
NG
S
S
S
S
E:\FR\FM\23JAR2.SGM
23JAR2
Use
�3460
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
NPS DATA ELEMENTS—Continued
Data
status
Data element name
Description
Contact person first name ..............
Contact person middle name .........
The first name of the contact person ..........
The middle name of the contact person ......
Contact person name suffix text ....
The name suffix of the contact person (for O
example, Jr., Sr., II, III, IV, or V).
The abbreviations for professional degrees O
or credentials used or held by the contact
person. Examples are M.D., R.N., or PhD.
The title or position of the contact person ... S
Contact person credential text .......
Contact person title or position ......
Contact person telephone number
Contact person mailing address
electronic mail identifier.
The 10-position telephone number of the R
contact person.
The electronic mail address associated with S
the mailing address of the contact person.
D. New and Revised Standards
Comments and responses on new and
revised standards can be found in the
Transactions Rule (65 FR 50343).
Generally, we may modify a standard
after the standard has been in effect for
at least a year, unless we determine a
modification is necessary sooner in
order to permit compliance with the
standard. The Secretary may not require
compliance with a modification until at
least 180 days after the modification is
adopted. We will consider requests for
modifications to the standard unique
health identifier for health care
providers.
III. Summary of Revisions to
Regulations Text
We added a definition for ‘‘Covered
health care provider’’ at § 162.402. In
addition to the changes discussed
above, minor organizational or
conforming changes were made to other
sections of the regulations text.
IV. Collection of Information
Requirements
Under the Paperwork Reduction Act
of 1995 (PRA), agencies are required to
provide a 30-day notice in the Federal
Register and solicit public comment on
a collection of information requirement
submitted to the Office of Management
and Budget (OMB) for review and
approval. In order to fairly evaluate
whether an information collection
should be approved by OMB, section
3506(c)(2)(A) of the PRA requires that
we solicit comment on the following
issues:
• Whether the information collection
is necessary and useful to carry out the
proper functions of the agency.
• The accuracy of the agency’s
estimate of the information collection
burden.
VerDate jul<14>2003
18:17 Jan 22, 2004
R
S
Jkt 203001
Data condition
(situational status only)
Entity
types
........................................................
Required if the contact person has
a middle name.
NA ..................................................
1, 2 .....
1, 2 .....
I
I
1, 2 .....
I
NA ..................................................
1, 2 .....
I
Required if the contact person has
a title or position.
........................................................
1, 2 .....
I
1, 2 .....
I
Required if the contact person has
an electronic mail identifier associated with the mailing address of the contact person.
1, 2 .....
I
• The quality, utility, and clarity of
the information to be collected.
• Recommendations to minimize the
information collection burden on the
affected public, including automated
collection techniques.
§ 162.410(a)(1) Through (a)(6)
Implementation Specifications: Health
Care Providers
A health care provider who is a
covered entity must obtain, by
application if necessary, an NPI from
the NPS and must use the NPI it
obtained to identify itself on all
standard transactions where its provider
identifier is required. A covered health
care provider must ensure that its
subpart(s), if assigned an NPI(s), does
the same. A covered health care
provider must disclose its NPI, when
requested, to any entity that needs the
NPI to identify that health care provider
in a standard transaction. A covered
health care provider must ensure that its
subpart(s), if assigned an NPI(s), does
the same. A covered health care
provider that has been assigned an NPI
must notify the NPS of any changes in
its required data within 30 days of the
change. A covered health care provider
must ensure that its subpart(s), if
assigned an NPI(s), does the same. A
covered health care provider that uses
one or more business associates to
conduct standard transactions on its
behalf must require its business
associates to use its NPI and other NPIs
appropriately on standard transactions
that the business associate conducts on
its behalf. A covered health care
provider must ensure that its subpart(s),
if assigned an NPI(s), and if the
subpart(s) uses one or more business
associates to conduct standard
transactions, does the same.
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
Use
§ 162.412 Implementation
Specifications: Health Plans
A health plan must use the NPI of any
health care provider or subpart in any
standard transaction that requires the
standard unique health identifier for
health care providers. A health plan
may not require a health care provider
that has been assigned an NPI to obtain
an additional NPI.
§ 162.414 Implementation
Specifications: Health Care
Clearinghouses
A health care clearinghouse must
obtain and use the NPI of any health
care provider or subpart in any standard
transaction that requires the standard
unique identifier for health care
providers.
Applicability of the PRA to the
Requirements
The emerging and increasing uses of
health care EDI standards and
transactions have raised the issue of the
applicability of the PRA. The Office of
Management and Budget (OMB) has
determined that this regulatory
requirement (which mandates that the
private sector disclose information and
do so in a particular format) constitutes
an agency-sponsored third-party
disclosure as defined under the PRA.
HIPAA requires the Secretary to adopt
standards that have been developed,
adopted, or modified by a standard
setting organization, unless there is no
such standard, or unless a different
standard would substantially reduce
administrative costs. OMB has
concluded that the scope of its review
under the PRA would include the
review and approval of our decision to
adopt or reject an established industry
standard, based on the HIPAA criterion
of whether a different standard would
E:\FR\FM\23JAR2.SGM
23JAR2
�3461
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
substantially reduce administrative
costs. For example, if OMB concluded
under the PRA that a different standard
would substantially reduce
administrative costs as compared to an
established industry standard, we
would be required to reconsider our
decision under the HIPAA standards.
We would be required to make a new
determination of whether it is
appropriate to adopt an established
industry standard or whether we should
enter into negotiated rulemaking to
develop an alternative standard (section
1172(c)(2)(A) of the Act).
The burden associated with the
requirements of this final rule, which is
subject to the PRA, is the initial onetime burden on health care providers
who are covered entities to apply for an
NPI and later, as necessary, to furnish
updates, and on the covered entities
identified above to modify their current
processes to implement the NPI.
However, the burden associated with
the routine or ongoing use of the NPI is
exempt from the PRA as defined in 5
CFR 1320.3(b)(2).
Based on the assumption that the
burden associated with systems
modifications that need to be made to
implement the NPI may overlap with
the systems modifications needed to
implement other HIPAA standards, and
the fact that the NPI will replace the use
of multiple identifiers, resulting in a
reduction of burden, commenters
should take into consideration when
drafting comments that: (1) One or more
of these current identifiers may not be
used; (2) systems modifications may be
performed in an aggregate manner
during the course of routine business;
and/or (3) systems modifications may be
made by contractors such as practice
management vendors, in a single effort
for a multitude of affected entities.
PRA Burden on Covered Health Care
Providers
A health care provider that is a
covered entity must obtain, by
application if necessary, an NPI from
the NPS. It must use its NPI to identify
itself on all standard transactions that it
conducts where its provider identifier is
required. In addition, the covered health
care provider must communicate to the
NPS any changes to its required NPS
data elements within 30 days of the
change. To comply with these
requirements, these health care
providers will complete the NPI
application/update form. This form
serves two purposes: it enables a
covered health care provider to apply
for an NPI and to furnish updates to the
NPS. Application for an NPI is
considered to be a one-time action: an
NPI is considered a permanent identifier
for a health care provider. (See section
II. A. 2., of this preamble, ‘‘Definition of
Health Care Provider,’’ for a discussion
of the permanent nature of the NPI.)
Most covered health care providers will
not have to furnish updates in a given
year; we estimate, based on information
in the Medicare program, that
approximately 12.6 percent of those
health care providers will need to
complete and submit the NPI
application/update form in a given year.
Below are our estimates for the annual
burden hours associated with these
requirements.
Applications for NPIs: Estimated
Annualized Burden
Notes: (1) Existing health care
providers that are covered entities
would be able to apply for NPIs over a
2-year period. For the estimated
annualized burden, we have divided the
number of these health care providers
by 2 to estimate the annual burden. (2)
Applying for an NPI is a one-time
burden on a health care provider. In
future years, this burden would apply
only to new health care providers that
are covered entities. (3) The number of
health care providers will increase by
1.56 percent annually. This is not a
‘‘net’’ percentage; it represents strictly
the percentage of new health care
providers coming into business
annually. (4) We estimate it will take 20
minutes to complete the application/
update form. (5) We estimate an hourly
rate of $10.87, rounded to $11, for office
staff to complete the application/update
form.
New health care providers come into
business every year. The first two years
would have increases of 36,124 and
37,251 in new covered health care
providers, respectively. The number of
new covered health care providers is
1.56 percent of the number of existing
health care providers in the previous
year.
Updates of NPS Data: Estimated
Annualized Burden
Notes: (1) We estimate that 12.6
percent of covered health care providers
would need to furnish updates in a
given year. The number of health care
providers needing to update their data
in any year is a percentage of the
number of health care providers. (2) A
health care provider that is a covered
entity that does not have changes to its
NPI data would not furnish updates and
would, therefore, experience no burden.
(3) We estimate it will take 10 minutes
to complete the application/update
form. (4) We estimate an hourly rate of
$10.87, rounded to $11, for office staff
to complete the application/update
form.
In FY 2007, we estimate there will be
1,157,821 covered health care providers
to be assigned NPIs. One could argue
that no updates will need to be made in
FY 2007 because no covered health care
provider would have been enumerated
prior to FY 2007. (Note: No health care
provider is required to have an NPI
before 2007.) However, for FY 2007, we
have factored in updates by adding 12.6
percent of the 1,157,821 covered health
care providers to represent—in a worst
case scenario—a full year’s worth of
updates if the full 12.6 percent of the
enumerated covered health care
providers needed to provide updates
within that same year.
Table 1 below shows the estimated
annualized burden for the PRA.
TABLE 1.—PAPERWORK REDUCTION ACT ESTIMATED ANNUALIZED BURDEN. ESTIMATED ANNUALIZED BURDEN
Year
2007
2008
2009
2010
2011
Total
Cost (Burden Hours for Total Providers)
Cost (Update Hours) ................................
$5,419,027
$670,165
$5,641,062
$719,050
$183,050
$759,519
$192,798
$800,337
$204,079
$847,167
$11,640,015
$3,796,237
Total Annualized Cost ......................
$6,089,192
$6,360,111
$942,568
$993,135
$1,051,246
$15,436,252
If feasible, to further reduce burden
and plan for compliance with the
Government Paperwork Elimination
Act, we are considering the acceptance
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
of applications and updates
electronically over the Internet. We
explicitly solicit comment on how we
might conduct this activity in the most
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
efficient and effective manner, while
ensuring the integrity, authenticity,
privacy, and security of health care
provider information.
E:\FR\FM\23JAR2.SGM
23JAR2
�3462
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
As required by section 3504(h) of the
Paperwork Reduction Act of 1995, we
have submitted a copy of this document
to the Office of Management and Budget
(OMB) for its review of these
information collection requirements. If
you comment on these information
collection and recordkeeping
requirements, please e-mail comments
to Paperwork@ cms.hhs.gov (Attn:
CMS–0045–F) or mail copies directly to
the following two addresses:
Centers for Medicare & Medicaid
Services, Office of Strategic
Operations and Regulatory Affairs,
Regulations Development and
Issuances Group, Room C5–14–03,
7500 Security Boulevard, Baltimore,
MD 21244–1850, Attn: James
Bossenmeyer, CMS–0045–F;
and
Office of Information and Regulatory
Affairs, Office of Management and
Budget, Room 10235, New Executive
Office Building, Washington, DC
20503, Attn: Brenda Aguilar, CMS–
0045–F, CMS Desk Officer.
V. Regulatory Impact Analysis
A. Overall Impact
We have examined the impacts of this
final rule as required by Executive
Order 12866 (September 1993,
Regulatory Planning and Review), the
Regulatory Flexibility Act (RFA)
(September 16, 1980, Pub. L. 96–354),
section 1102(b) of the Social Security
Act, the Unfunded Mandates Reform
Act of 1995 (Pub. L. 104–4), and
Executive Order 13132.
Executive Order 12866 (as amended
by Executive Order 13258, which
merely reassigns responsibility of
duties) directs agencies to assess all
costs and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
effects, distributive impacts, and
equity). A regulatory impact analysis
(RIA) must be prepared for major rules
with economically significant effects
(costs plus savings equal $100 million
or more in any one year). We consider
this final rule to be a major rule, as it
will have an impact of over $100
million on the economy. This impact
analysis shows a net savings of $526
million over a 5-year period.
The RFA requires agencies to analyze
options for regulatory relief of small
businesses. For purposes of the RFA,
nonprofit organizations are considered
small entities. Small government
jurisdictions with a population of less
than 50,000 are considered small
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
entities. Individuals and States are not
considered small entities. Most
hospitals and most other providers and
suppliers are small entities, either by
nonprofit status or by having annual
revenues of less than the threshold
published in regulations by the Small
Business Administration (SBA).
Effective October 1, 2000, the SBA no
longer used the Standard Industrial
Classification (SIC) System to categorize
businesses and establish size standards,
and began using industries defined by
the new North American Industry
Classification System (NAICS). The
NAICS made several important changes
to the Health Care industries listed in
the SIC System: it revised terminology,
established a separate category (Health
Care and Social Assistance) under
which many health care providers are
located, and increased the number of
Health Care industries to 30 NAICS
industries from 19 Health Services SIC
industries.
On November 17, 2000, the SBA
published a final rule, which was
effective on December 18, 2000, in
which the SBA adopted new size
standards, ranging from $5 million to
$25 million, for 19 Health Care
industries and retained the existing $5
million size standard for the remaining
11 Health Care industries. The revisions
were made to more appropriately define
the size of businesses in these industries
that SBA believes should be eligible for
Federal small business assistance
programs.
On August 13, 2002, the SBA
published a final rule that was effective
on October 1, 2002. The final rule
amended the existing SBA size
standards by incorporating OMB’s 2002
modifications to the NAICS into its table
of small business size standards. The
final rule did not affect industries that
are considered covered entities by this
final rule.
On September 6, 2002, the SBA
published a final rule (effective October
1, 2002) that corrected the August 13,
2002, final rule. The final rule corrected
errors in the August 13, 2002, final rule
and contained a new table of size
standards to clearly identify size
standards by millions of dollars and by
number of employees. Some of those
revisions in size standards affected
some of the entities that are considered
covered entities under this final rule.
For example, the SBA revisions
increased the annual revenues for
offices of physicians to $8.5 million
(other practitioners’ offices’ revenues
remained at $6 million) and increased
the small business size standard for
hospitals to $29 million in annual
revenues.
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
The regulatory flexibility analysis for
this final rule is linked to the aggregate
regulatory flexibility analysis for all the
Administrative Simplification standards
that appeared in the Transactions Rule
(65 FR 50312), published on August 17,
2000, which predated the SBA changes
noted above. In addition, all HIPAA
regulations published to date have used
the SBA size standards that existed at
the time of the publication of the
Transactions Rule. Because the SBA size
standard changes predate the effective
date of this final rule, we are using the
current SBA small business size
standards for the regulatory flexibility
analysis for this final rule. Although the
SBA has raised the small business size
standards, the revised size standards
have no effect on the cost and benefit
analysis for this final rule. The revised
standards simply increase the number of
health care providers that are classified
as small businesses. Although the SBA
revisions changed the size standard for
health plans by increasing from $5
million to $6 million in annual revenues
the small business size standard, this
change has a minimal effect on this final
rule. Because all HIPAA administrative
simplification regulations permit small
health plans an additional year in which
to comply with the implementation
specifications and requirements, a
greater number of small health plans
would have the additional year, due to
the SBA size standard revisions.
While each standard may not have a
significant impact on a substantial
number of small businesses, the
combined effects of all the standards are
likely to have a significant effect on a
substantial number of small businesses.
However, this final rule will affect small
businesses, such as small health care
providers, health plans, and health care
clearinghouses, in much the same way
as it affects large businesses.
Small businesses that are covered
entities must meet the provisions of this
final rule and implement the standard
unique health care provider identifier
standard. The requirements placed on
small health care providers, health care
clearinghouses, and health plans would
be consistent with the complexity of
their operations. Small health plans
have an additional year in which to
comply. A more detailed analysis of the
impact on small businesses is part of the
impact analysis that we published on
August 17, 2000 (65 FR 50312), for all
the HIPAA standards.
In addition, section 1102(b) of the Act
requires us to prepare a regulatory
impact analysis if a rule may have a
significant impact on the operations of
a substantial number of small rural
hospitals. This analysis must conform to
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
the provisions of section 604 of the
RFA. For purposes of section 1102(b) of
the Act, we define a small rural hospital
as a hospital that is located outside of
a Metropolitan Statistical Area and has
fewer than 100 beds. This final rule will
have no more significant impact on
small rural hospitals than it will have
on other small health care providers.
Section 202 of the Unfunded
Mandates Reform Act (UMRA) of 1995
(2 U.S.C. 1532) requires that agencies
assess anticipated costs and benefits
before issuing any rule that may result
in expenditure in any one year by State,
local, or tribal governments, in the
aggregate, or by the private sector, of
$110 million. This final rule establishes
a Federal private sector mandate and is
a significant regulatory action within
the meaning of section 202 of UMRA.
We have included the statements to
address the anticipated effects of this
final rule under section 202 of UMRA.
This standard applies to State and
local governments in their roles as
covered entities. Covered entities must
implement the requirements in this final
rule; thus, this final rule imposes
unfunded mandates on them. Further
discussion of this issue is found in the
previously published impact analysis
for all Administrative Simplification
standards (65 FR 50312).
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a final
rule that imposes substantial direct
requirement costs on State and local
governments, preempts State law, or
otherwise has Federalism implications.
The proposed rule that proposed the
NPI as the standard unique health
identifier for health care providers was
published prior to the signing of that
Executive Order. We could not solicit
comments on the effect of Executive
Order 13132 on the adoption of the
health care provider identifier standard.
This final rule will have a substantial
effect on State and local governments to
the extent that those entities are covered
entities. As early as 1993, CMS (then the
Health Care Financing Administration)
led a workgroup whose goal was to
develop a provider identification system
for all health care providers. The system
was intended to meet the needs of the
Medicare and Medicaid programs, and
eventually other programs. State
Medicaid agencies in Alabama,
California, Minnesota, Virginia and
Maryland participated in this effort,
along with representatives from the
private sector and several other Federal
agencies. The first task of the workgroup
was to decide if an existing identifier
could be used or if a new one needed
to be developed. The workgroup
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
developed criteria for a unique provider
identifier, examined existing identifiers,
and concluded that a new identifier
needed to be developed. The workgroup
developed the NPI, and we proposed the
NPI as the standard unique health
identifier for health care providers in
the proposed rule.
States continue to hold memberships
on the National Uniform Claim
Committee and the National Uniform
Billing Committee, and continue to be
represented in the X12N and Health
Level Seven standards development
organization workgroups and
committees. As a result, States have in
the past, and continue to have, input
into the development of new standards
and the modification of existing
standards.
As stated in the previously published
impact analysis in 65 FR 50312, we do
not have sufficient information to
provide estimates of the impact of the
administrative simplification standards
on local governments.
In complying with the requirements
of part C of title XI, the Secretary
established interdepartmental
implementation teams who consulted
with appropriate State and Federal
agencies and private organizations.
These external groups included the
NCVHS’s Subcommittee on Standards
and Security, the Workgroup for
Electronic Data Interchange (WEDI), the
National Uniform Claim Committee
(NUCC), the National Uniform Billing
Committee (NUBC), and the American
Dental Association (ADA). The teams
also received comments on the May 7,
1998, proposed regulation from a variety
of organizations, including State
Medicaid agencies and other Federal
agencies.
We received comments from State
agencies and from entities that conduct
transactions with State agencies. Many
of the comments referred to the costs to
State and local governments of
implementing the HIPAA standards. We
believe that these costs will be offset by
future savings (see the impact analysis
of 65 FR 50350).
Other comments regarding States
reflected the need for clarification as to
when State agencies were subject to the
standards.
B. Anticipated Effects
The Regulatory Flexibility Act of 1980
considers all 31 nonprofit Blue CrossBlue Shield Health Plans to be small
businesses. Additionally, 28 percent of
HMOs are considered small businesses
because of their nonprofit status.
Doctors of osteopathy, dentistry,
podiatry, as well as chiropractors, and
solo and group physicians’ offices with
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
3463
fewer than three physicians, are
considered small businesses. Forty
percent of group practices with three or
more physicians and 100 percent of
optometrist practices are considered
small businesses. Seventy-two percent
of all pharmacies, 88 percent of medical
laboratories, 100 percent of dental
laboratories, and 90 percent of durable
medical equipment suppliers are
assumed to be small businesses as well.
This analysis required that we use
data and statistics about various entities
that operate in the health data
information industry.
We believe the best source for
information about the health data
information industry is Faulkner &
Gray’s Health Data Directory. This
publication is the most comprehensive
data directory of its kind that we could
find. The information in this directory
is gathered by Faulkner & Gray editors
and researchers who called all of the
more than 3,000 organizations that are
listed in the book in order to elicit
information about their operations.
Some businesses are listed as more than
one type of business entity because, in
reporting the information, companies
could list themselves to be as many as
three different types of entities. For
example, some businesses listed
themselves as both practice
management vendors and claims
software vendors because their practice
management software was ‘‘EDI
enabled.’’
All the statistics referencing Faulkner
& Gray’s come from the 2000 edition of
its Health Data Directory. It lists 78
claims clearinghouses, which, according
to the Health Data Directory are entities
that generally take electronic and paper
health care claims data from health care
providers and billing companies that
prepare bills on a health care provider’s
behalf. The claims clearinghouse acts as
a conduit for health plans; its activities
may include batching claims and
routing transactions to the appropriate
health plan in a form that expedites
payment.
Of the 78 claims clearinghouses listed
in this publication, eight processed
more than 20 million electronic
transactions per month. Another 15
handled 2 million or more transactions
per month and another 4 handled over
a million electronic transactions per
month. The remaining 39 entities listed
in the data dictionary processed fewer
than a million electronic transactions
per month. Almost all of these entities
have annual revenues of under $6
million and would therefore be
considered small entities.
Software system vendors provide
computer software applications support
E:\FR\FM\23JAR2.SGM
23JAR2
�3464
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
to health care clearinghouses, billing
companies, and health care providers.
In particular, they work with health care
providers’ practice management and
health information systems. These
businesses provide integrated software
applications for such services as
accounts receivable management,
electronic claims submission (patient
billing), recordkeeping, patient charting,
practice analysis, and patient
scheduling. Some software vendors also
provide applications that translate
information on paper and information
in electronic records having no standard
formats into standard electronic formats
that are acceptable to health plans.
Faulkner & Gray lists 78 physician
practice management vendors and
suppliers, 76 hospital information
systems vendors and suppliers, 140
software vendors and suppliers for
claims-related transactions, and 20
translation vendors (now known as
Interface Engines/Integration Tools). We
were unable to determine the number of
these entities with revenues over $6
million, but we assume most of these
businesses would be considered small
entities.
The costs of implementing the NPI are
primarily one-time or short-term costs
related to conversion. These costs are
characterized as follows: software
conversion, cost of automation, training,
implementation, and cost of
documentation and implementation
guides.
As stated earlier in this final rule,
health care providers will not be
charged for obtaining an NPI. Covered
health care providers will have to apply
for NPIs and will have to furnish
updates to the NPS when their required
data changes. (However, if health care
providers are enumerated through the
bulk enumeration process described
earlier in this preamble, they will not
have to apply for NPIs, and they will be
notified of their NPIs. Those that are
covered health care providers will have
to furnish updates to the NPS when
their required data changes and will
have to ensure that their subparts, if
assigned NPIs via bulk enumeration or
otherwise, do the same. These burden
estimates are discussed in section IV,
‘‘Collection of Information
Requirements,’’ of this preamble.) In
addition, covered health care providers
will have to bear the costs of converting
to the NPI, as will health plans and
health care clearinghouses. Health
plans, health care clearinghouses, and
covered health care providers are
required to implement the NPI. Most of
these entities meet the SBA’s definition
of small entities.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Health plans, health care
clearinghouses, and health care
providers who are covered entities must
use NPIs in standard transactions and
must make the necessary changes and
conversions in order to do so.
Conversion will require training for staff
and will require changes to
documentation, procedures, records,
and software. Some covered health care
providers that do not already do so may
choose to use the services of software
system vendors, billing companies, and/
or health care clearinghouses to
facilitate the transition to the NPI. While
there may be up-front costs associated
with some of the required changes, the
fact that only one health care provider
number (the NPI) will be used in
standard transactions will simplify
business, improve efficiency, and create
savings. The format of the NPI (all
numeric) will facilitate telephone
keypad entry; the check-digit in the 10th
position will detect keying and data
entry errors; and the lack of intelligence
built into the NPI will eliminate the
need to issue a new health care provider
number (and maintain records of such
issuances) whenever changes occur that
would impact that intelligence.
After being assigned NPIs, covered
health care providers will have to
furnish the NPS with updates to their
required NPS data in the NPS within 30
days of the changes. It is very likely that
the NPS data will duplicate some of the
information that health care providers
furnish to health plans when they enroll
in health plans (although health plans
traditionally collect far more
information about a health care provider
than the NPS will collect). Because
health care providers must keep health
plans apprised of updates to their data,
the requirement that covered health care
providers apprise the NPS of updates
should not be a significant burden on
those health care providers.
The extended effective date of the NPI
should allow sufficient time for health
plans, health care clearinghouses, and
health care providers who are covered
entities to implement the changes
needed to accommodate the NPI.
Lastly, HIPAA gives small health
plans an extra year (36 months instead
of 24 months from the effective date) in
which to implement the NPI.
The May 7, 1998, proposed rule for
the National Provider Identifier (NPI)
contained a cost-benefit analysis based
on the aggregate impact of all the
HIPAA administrative simplification
standards for electronic data
interchange (EDI). The Comment/
Response section related to the
proposed aggregate analysis, and a final
aggregate impact analysis, are contained
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
in the Transactions Rule at 65 FR 50345.
We address the specific impact of the
NPI in section V.D. of this preamble,
‘‘Specific Impact of the NPI.’’
C. Alternatives Considered
Guiding Principles for Standard
Selection
As explained in the May 7, 1998,
proposed rule (at 63 FR 25323), the
implementation teams charged with
designating standards under the statute
defined, with significant input from the
health care industry, a set of common
criteria for evaluating potential
standards. These criteria are based on
direct specifications in HIPAA, the
purpose of the law, and principles that
support the regulatory philosophy set
forth in Executive Order 12866 of
September 30, 1993, and the Paperwork
Reduction Act of 1995. These criteria
also support and are consistent with the
principles of the Paperwork Reduction
Act of 1995. In order to be designated
as a standard, a proposed standard
should:
• Improve the efficiency and
effectiveness of the health care system
by leading to cost reductions for or
improvements in benefits from
electronic HIPAA health care
transactions. This principle supports the
regulatory goals of cost-effectiveness
and avoidance of burden.
• Meet the needs of the health data
standards user community, particularly
health care providers, health plans, and
health care clearinghouses. This
principle supports the regulatory goal of
cost-effectiveness.
• Be consistent and uniform with the
other HIPAA standards—their data
element definitions and codes and their
privacy and security implementation
specifications—and, secondarily, with
other private and public sector health
data standards. This principle supports
the regulatory goals of consistency and
avoidance of incompatibility, and it
establishes a performance objective for
the standard.
• Have low additional development
and implementation costs relative to the
benefits of using the standard. This
principle supports the regulatory goals
of cost-effectiveness and avoidance of
burden.
• Be supported by an ANSIaccredited standards developing
organization or other private or public
organization that will ensure continuity
and efficient updating of the standard
over time. This principle supports the
regulatory goal of predictability.
• Have timely development, testing,
implementation, and updating
procedures to achieve administrative
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
simplification benefits faster. This
principle establishes a performance
objective for the standard.
• Be technologically independent of
the computer platforms and
transmission protocols used in HIPAA
health transactions, except when they
are explicitly part of the standard. This
principle establishes a performance
objective for the standard and supports
the regulatory goal of flexibility.
• Be precise and unambiguous, but as
simple as possible. This principle
supports the regulatory goals of
predictability and simplicity.
• Keep data collection and paperwork
burdens on users as low as is feasible.
This principle supports the regulatory
goals of cost-effectiveness and
avoidance of duplication and burden.
• Incorporate flexibility to adapt more
easily to changes in the health care
infrastructure (such as new services,
organizations, and health care provider
types) and information technology. This
principle supports the regulatory goals
of flexibility and encouragement of
innovation.
We assessed the various candidates
for a health care provider identifier
against the principles listed above, with
the overall goal of achieving the
maximum benefit for the least cost. We
found that the NPI met all the principles
and that no other candidate identifier
met all the principles, or even those
principles supporting the regulatory
goal of cost-effectiveness. We received
comments suggesting that we consider
or reconsider the Taxpayer Identifying
Number or the Social Security Number
for individual health care providers and
the Employer Identification Number for
organizations as the standard unique
health identifier for health care
providers. We responded to these
comments in section II. A. 3. of this
preamble, ‘‘NPI Standard.’’
One possible alternative in the
development of the identifier was to
allow intelligence to be included in it.
We rejected this alternative on
qualitative grounds because it meant
that individuals might get more than
one identifier in their lifetimes. Cost
considerations also contributed to our
decision.
If intelligence were built into the
identifier, the operating cost of the
enumeration system would rise for
several reasons. First, additional
information would need to be collected
and verified so that the intelligence in
the identifier would be accurate.
Secondly, new identifiers for
individuals and organizations would
need to be assigned because the
embedded intelligence would change.
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
The cost to health plans would also
increase. First, their systems might need
to be adapted to use the intelligence in
the identifier. Secondly, they would
have to keep track of the more frequent
changes in identifiers, and revise their
processes accordingly.
An intelligent identifier would also be
more expensive for health care
providers. They would have to reapply
for identifiers if the information in the
intelligence changed. Additionally, they
would have to revise their systems to
change their identifiers every time they
changed.
These quantitative reasons support
our choice not to include intelligence in
the identifier.
Need to Convert
Because there is no standard health
care provider identifier in widespread
use throughout the industry, adopting
any of the candidate identifiers would
require covered entities to convert to the
new standard. In the case of the NPI,
covered entities will have to convert
because this identifier is not in use
presently. As we pointed out in the May
7, 1998, proposed rule in our analysis of
the candidates, even the identifiers that
are in use are not used for all purposes
or for all health care provider
classifications. The selection of the NPI
does not impose a greater burden on the
industry than the nonselected
candidates, and presents significant
advantages in terms of costeffectiveness, universality, uniqueness,
and flexibility.
Complexity of Conversion
Some existing health care provider
identifier systems assign multiple
identifiers to a single health care
provider in order to distinguish the
multiple identities the health care
provider has in the system. For
example, in these systems, the health
care provider may have a different
identifier to represent each contract or
provider agreement, practice location,
and specialty or health care provider
classification. Since the NPI is a unique
identifier for a health care provider, it
will not distinguish these multiple
identities. Systems that need to
distinguish these identities will need to
use data other than the NPI to do so.
The change to using other data will add
complexity to the conversion to the NPI
(or to any other standard health care
provider identifier), but it is necessary
in order to achieve the goal of unique
identification of the health care
provider.
The complexity of the conversion will
also be significantly affected by the
degree to which health plans’
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
3465
processing systems currently rely on
intelligent identifiers. For example, a
health plan may route claims to
different processing routines based on
the type of health care provider by
keying on a health care provider type
code included in the identifier.
Converting from one unintelligent
identifier to another is less complex
than modifying software logic to obtain
needed information from other data
elements. However, the use of an
unintelligent identifier is required in
order to meet the guiding principle of
ensuring flexibility.
Specific technology limitations of
existing systems could affect the
complexity of conversion. For example,
some existing health care provider data
systems use a telephone keypad to enter
data. Data entry of alpha characters is
inconvenient in these systems.
Comments were strong in suggesting
that the NPI be an all-numeric identifier,
be 10 positions in length, and include
a check-digit in the 10th position. (See
section II. A. 3. of this preamble, ‘‘NPI
Standard,’’ for a full description of
comments on the characteristics of the
identifier.) As stated in that section, in
response to comments, we changed the
format of the NPI to an all-numeric
number, 10 positions in length, with a
check-digit in the 10th position. There
will be no intelligence about the health
care provider in the number. This
format satisfies the comments for easier
data entry and the need for a number
that will be short enough to fit into most
existing data formats.
The selection of the NPI does not
impose a greater burden on the industry
than the nonselected candidates.
D. Specific Impact of the National
Provider Identifier
In the May 7, 1998, proposed rule (at
63 FR 25349), we included a section
that related to the specific impact of the
health care provider identifier. That
section of the proposed rule also
indicated the Federal, State, and private
costs associated with the enumeration
options set out in the proposed rule.
Proposed Provisions
The May 7, 1998, proposed rule for
the National Provider Identifier (NPI)
contained a cost-benefit analysis based
on the aggregate impact of all the
HIPAA administrative simplification
standards for electronic data
interchange (EDI). The response to
comments on the proposed aggregate
analysis is contained in the
Transactions Rule (at 65 FR 50345). The
Transactions Rule also includes an
updated impact analysis (at 65 FR
50350).
E:\FR\FM\23JAR2.SGM
23JAR2
�3466
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
One section of the impact analysis
that was published in the May 7, 1998,
proposed rule for the NPI (at 63 FR
25351) contained a discussion of the
costs of enumerating health care
providers under each of the two
enumeration options that were
described in the proposed rule. Table 5,
entitled ‘‘Enumeration Costs: Federal,
State, and Private,’’ was included in this
part of the impact analysis in the
proposed rule. This table compared the
costs for each of the two proposed
enumeration options. Below we respond
to the comments received about that
part of the impact analysis.
Comments and Responses on the
Specific Impact of the National Provider
Identifier
Comment: One commenter stated that
the pharmacy industry will not see huge
gains in the standardization of the NPI
for prescriber and pharmacy because de
facto standard identifiers exist for these
two provider types.
Response: We agree that the pharmacy
industry may not realize the benefits
from standardization of health care
provider numbers as quickly as other
segments of the health care industry
because the pharmacy industry already
uses numbers to identify health care
providers and pharmacies. However,
once NPIs are assigned to health care
providers and once the entire health
care industry begins to use the NPI, we
believe the pharmacy industry will see
the benefits of replacing its de facto
standards with the national standard.
The Drug Enforcement Administration
(DEA) number was established by the
DEA to identify those who prescribe or
store controlled substances. It is the
pharmacy industry’s de facto identifier
for prescribers. In developing the NPI,
we considered several existing
identifiers as candidates for the national
health care provider identifier. One of
those considered was the DEA number.
However, the use of the DEA number as
a national health care provider identifier
does not fit the scope for which the DEA
number was established. In addition,
the DEA number is not available to all
health care providers and, as a result,
would not be appropriate as the national
health care provider identifier. The
National Council for Prescription Drug
Programs (NCPDP) provider number,
formerly called the National Association
of Boards of Pharmacy (NABP) number,
is the pharmacy industry’s de facto
identifier for pharmacies. This number
was also considered a candidate for the
national health care provider identifier,
but did not meet two of the criteria
deemed necessary for a standard
identifier: it would not yield a sufficient
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
number of identifiers and it contained
intelligence.
Comment: Several commenters
suggested revisions to our definitions of
‘‘HIPAA-transaction health care
provider’’ and ‘‘non-HIPAA-transaction
health care provider.’’ They found the
terms confusing.
Response: We agree and do not use
those terms in this final rule.
Comment: One commenter asked that
we insert the word ‘‘costs’’ after ‘‘startup’’ and ‘‘outyear’’ in Table 5 headings
and definitions.
Response: This comment is not
applicable, as we do not include Table
5 in this final rule. We refer the reader
to the discussion under ‘‘Final
Provisions’’ in this section.
Comment: One commenter stated that
we did not factor in atypical service
providers that are exclusive to the
Medicaid program.
Response: The Medicaid program’s
atypical and nontraditional service
providers were included in Table 5 in
the May 7, 1998, proposed rule.
However, as explained in section II. A.
2, ‘‘Definition of Health Care Provider’’
in this preamble, most of them do not
meet our definition of health care
provider. Therefore, they are not
included in our analyses in this final
rule.
Comment: Several commenters stated
the estimate that 5 percent of health care
providers participating in Federal health
plans and Medicaid would have updates
each year is conservative and that the
number is more like 12 to 15 percent.
Another commenter believes it to be
even higher.
Response: We have not seen
documentation that would convince us
our estimate was incorrect at the time
the May 7, 1998, proposed rule was
published. In the proposed rule, we
estimated that 5 percent of the health
care providers who are covered entities
that conduct business with Federal
health plans or Medicaid would require
updates each year, and that 15 percent
of the remaining health care providers
that are covered entities (those that do
business only with private insurers)
would require updates each year. In
general, health plans (including Federal
health plans and Medicaid) collect more
information from their enrolled health
care providers than the NPS will collect
when a health care provider applies for
an NPI. Thus, there is more information
subject to change for health care
providers that are enrolled in a health
plan. This fact could explain why health
plans sometimes have a greater
percentage of updates than what we
estimated for NPI purposes in the
proposed rule, and could have been the
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
basis on which the comment was made.
The proposed rule did not include
calculations for updates for health care
providers who are not covered entities;
we would expect that percentage would
not exceed 15 percent. We computed
the weighted average of the percentages
of health care providers that would
require updates that were used in the
proposed rule (using 15 percent for
these health care providers). We have
concluded that approximately 12.6
percent of all existing health care
providers will have updates each year.
Comment: Several commenters said
that erroneous assumptions were used
in stating that the costs to Federal health
plans (including Medicare) and
Medicaid would be zero for
enumerating their own health care
providers. The costs would be
substantial.
Response: We acknowledge that there
would have been costs to Medicaid
State agencies and to Federal health
plans in manipulating and reformatting
their health care provider files and
transferring them to CMS for loading
into the NPS. There would also have
been ongoing costs to Medicaid State
agencies and other Federal health plans
to obtain NPIs for their health care
providers under option 2. In
manipulating and reformatting the files,
problems could be discovered in some
of the health care provider records that
would require investigation and
resolution. The costs of investigating
and resolving these problems were not
recognized earlier and, therefore, were
not considered in the May 7, 1998,
proposed rule.
Comment: One commenter stated that
the costs for option 1 as shown in Table
5 did not reflect the savings that would
have accrued by preloading Medicare
provider files into the NPS.
Response: While the narrative portion
of the impact analysis did mention that
Medicare provider files would be
preloaded into the NPS under both
options 1 and 2, the commenter is
correct in that this was not reflected in
Table 5 for option 1. However, as stated
earlier in this preamble, Medicare
provider files will be loaded into the
NPS only if it is feasible to do so.
Final Provisions
We stated in the May 7, 1998,
proposed rule that we cannot determine
the specific economic impact of the NPI
(and individually, each HIPAA
administrative simplification standard
may not have a significant impact). The
overall impact analysis (65 FR 50355)
made it clear that, collectively, all the
standards will have a significant impact
of over $100 million on the economy.
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
aware that the NPI was an upcoming
standard, they may have also made
some accommodations in their systems
to be able to use the NPI when it is
assigned. The NPI has already been
identified as a future identifier in the
implementation specifications for the
transaction standards.
There will still be costs and savings
related to the implementation of the NPI
by health plans and health care
providers. These will, however, be small
in comparison to those for transaction
standards and security. The NPI affects
only a small part of the system and
business processes for any covered
entity.
We estimate that the NPI would entail
10 percent of the costs and 5 percent of
the savings for health plans. Health
plans would need to make some system
changes from their current identifiers to
the NPI. They would save in not having
to maintain a system of identifiers that
exist today. We would estimate that for
health care providers, the NPI would
represent 5 percent of the costs and 10
percent of the savings. Health care
providers need only to substitute the
NPI for their current identifier(s). They
reap greater savings by not having to
keep track of separate identifiers for
each health plan and possibly for each
location, address, or contractual
The implementation costs and benefits
of the NPI were factored into that
overall impact analysis.
However, that impact analysis used
certain assumptions that have not been
realized. For example, it was assumed
that all of the HIPAA standards would
be issued and effective at about the
same time, so that covered entities
would be making their system changes
at one time. For various reasons,
standards have been issued and
effective over a much longer period of
time than expected. For example, the
transaction and code set standards were
published in 2000 and must be
implemented by October 2003. Security
standards are to be implemented by
April 2005, and the NPI must be used
by 2007.
Because the compliance dates cover
such an extended period of time, we
will estimate part of the overall cost and
savings for health plans and health care
providers that can be attributed to the
NPI. We continue to use the impact
analysis previously referenced as the set
of total costs and savings.
Because the standards for transactions
and codes sets, the employer identifier,
and security have already been
published, we assume that covered
entities have already made significant
system investments. Because they were
3467
arrangement. (However, as noted earlier
in this preamble, health plans may
require health care providers to use
identifiers other than the NPI for uses
other than standard transactions.)
Looking at the overall impact
analysis, while 2007 is the initial year
for using the NPI, it would be the
analogous to the first year of the overall
impact analysis, in which most of the
costs are incurred. Using the figures
from above, we make the following
estimates for 2007:
TABLE 2.—COSTS OF IMPLEMENTING
THE NPI IN 2007
[In millions of dollars, rounded to the nearest
million]
Health Plans:
2002 Cost from Impact Analysis ...
2002 Savings ................................
2007 Net for NPI for Health Plans
Health Care Providers:
2002 Cost from Impact Analysis ...
2002 Savings ................................
2007 Net for NPI for Health Care
Providers ...................................
¥146
24
¥122
¥79
61
¥18
Note: The figures in Table 2 have been
adjusted to reflect dollars expressed for 2007.
We perform the same calculations for
the next 4 years. This yields the
following results:
TABLE 3.—COSTS OF IMPLEMENTING THE NPI, 2007–2011
[In millions of dollars, rounded to the nearest million]
Year
2007
Health Plan Costs ............................................................
Health Plan Savings ........................................................
Provider Costs .................................................................
NPI Application and Update Costs ..................................
Provider Savings ..............................................................
Net Savings ......................................................................
NPS Costs .......................................................................
2008
146
24
73
6
61
¥140
91
2009
146
49
73
6
122
¥55
9
Note: The figures in Table 3 have been
adjusted to reflect dollars expressed for each
year.
providers, and that health care
providers are not being charged for
obtaining NPIs.
All costs of NPS development and
operation (which include the costs of
enumerating health care providers and
maintaining their information in the
NPS, and the costs of disseminating
NPS data to the health care industry and
others, as appropriate) are Federal costs.
As mentioned earlier in this preamble,
HHS will contract for system
development and for the enumeration,
update, and data dissemination
activities. We estimate the following
costs for operations of the National
Provider System (NPS), keeping in mind
that the NPS will enumerate both
covered and noncovered health care
E. Affected Entities
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
Health Care Providers
Health care providers and subparts, as
appropriate, will apply for NPIs. Health
care providers that are covered entities
must begin to use NPIs in standard
transactions no later than 24 months
after the effective date of this regulation;
and they must ensure that their
subparts, if assigned NPIs, do the same.
Covered health care providers that need
to be identified on standard transactions
must disclose their NPIs, upon request,
to entities that are required to use those
health care providers’ NPIs on standard
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
2010
134
73
67
1
183
54
9
2011
0
91
0
1
219
309
9
Total
0
103
0
1
256
358
9
426
341
213
15
840
526
128
transactions. Covered health care
providers must ensure that their
subparts, if assigned NPIs, do the same.
Any negative impact on health care
providers generally would be related to
the initial implementation period. They
would incur implementation costs for
converting systems, especially those
that generate electronic claims, from
current health care provider identifiers
to the NPI. Some health care providers
would incur those costs directly and
others would incur them in the form of
fee increases from billing associates and
health care clearinghouses.
Covered health care providers will
have to use their NPIs on standard
claims transactions and any other
standard transactions that they conduct;
they will have to ensure that their
E:\FR\FM\23JAR2.SGM
23JAR2
�3468
Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
subparts, if assigned NPIs, do the same.
They will also have to obtain and use
the NPIs of other health care providers
if those NPIs are needed on those
transactions. If covered health care
providers’ subparts are assigned NPIs,
the covered health care providers must
ensure that their subparts do the same.
This will be a more significant
implementation workload for larger
organization health care providers, such
as hospitals, that will have to capture
the NPIs for each health care provider
practicing in the hospital if those health
care providers need to be identified on
hospital claims. However, these health
care providers are accustomed to
maintaining these types of data. Some
health care providers will need access to
the NPIs of other health care providers
in order to identify those health care
providers on standard transactions. In
this regard, we encourage all health care
providers to obtain NPIs and, when
requested, to disclose their NPIs to
covered entities that need them for
inclusion on health care transactions.
Some health care providers, particularly
ones that do not do business with large
health plans, may be resistant to
obtaining NPIs and providing data about
themselves to a national database.
Claims processing and timely
payments to health care providers could
possibly be affected as health plans
transition to the NPI. We encourage
health plans to conduct outreach efforts
in order to minimize disruptions in
claims processing and timely payment.
Covered health care providers are
required to also furnish updates to their
required NPS data within 30 days of the
changes. Covered health care providers
must ensure that their subparts, if
assigned NPIs, do the same. (We
encourage other health care providers to
do the same.) The vast majority of
health plans issue identifiers to the
health care providers with which they
conduct business in order to facilitate
the electronic processing of claims and
other transactions. The information that
health care providers must supply in
order to receive an NPI is significantly
less than the information most health
plans require from a health care
provider in order to enroll in a health
plan. We will attempt to make the
processes of obtaining NPIs and
updating NPS data as easy as possible
for health care providers, reducing
duplication of effort wherever possible
and making the processes as automated
as possible. Neither the statute nor this
final rule requires charging health care
providers (or their subparts) to receive
NPIs.
After the compliance date, health care
providers will no longer have to keep
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
track of and use different identifiers
with different health plans when
conducting standard transactions. This
should simplify health care provider
billing systems and processes and
reduce administrative expenses. A
standard identifier should facilitate and
simplify coordination of benefits,
resulting in faster, more accurate
payments.
Health Plans
HIPAA does not prohibit health plans
from requiring their enrolled health care
providers to obtain NPIs.
Health plans will have to modify their
systems to use the NPI. This conversion
will have a one-time cost impact on
Federal, State, and private health plans
and is likely to be more costly for health
plans with complex systems that rely on
intelligent provider numbers.
Disruption of claims processing and
payment delays could result. However,
health plans will be able to schedule
their implementation of the NPI and
other standards in a manner that best
fits their needs, as long as they meet the
deadlines specified in this and the other
final rules that implement the
administrative simplification
provisions. Upon the NPI compliance
dates, health plans’ coordination of
benefits activities should be greatly
simplified because all health plans will
use a unique standard health care
provider identifier for each health care
provider. In addition, utilization review
and other payment safeguard activities
will be facilitated, since health care
providers would use only one identifier
and could be easily tracked over time
and across geographic areas. Health
plans currently assign their own
identification numbers to health care
providers as part of their enrollment
procedures, and this practice would no
longer be necessary. Existing
enumeration systems maintained by
Federal health programs could be
phased out, and savings would result.
Health care clearinghouses will face
impacts (both positive and negative)
similar to those experienced by health
plans. However, implementation will
likely be more complex, because health
care clearinghouses deal with many
health care providers and health plans.
Health care providers that are not
covered entities that do not wish to
apply for NPIs will necessitate the need
for health care clearinghouses to
accommodate health care provider
identifiers in addition to the NPI.
In accordance with the provisions of
Executive Order 12866, this regulation
was reviewed by the Office of
Management and Budget.
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
List of Subjects in 45 CFR Part 162
Administrative practice and
procedure, Electronic transactions,
Health facilities, Health insurance,
Hospitals, Incorporation by reference,
Medicare, Medicaid, Reporting and
recordkeeping reports.
■ For the reasons set forth in the
preamble, 45 CFR subchapter C part 162
is amended as follows:
PART 162—ADMINISTRATIVE
REQUIREMENTS
1. The authority citation continues to
read as follows:
■
Authority: Secs. 1171 through 1179 of the
Social Security Act (42 U.S.C. 1320d–1320d–
8), as added by sec. 262 of Pub. L. 104–191,
110 Stat. 2021–2031, and sec. 264 of Pub. L.
104–191, 110 Stat. 2033–2034 (42 U.S.C.
1320d–2 (note)).
2. A new subpart D is added to read as
follows:
■
Subpart D—Standard Unique Health
Identifier for Health Care Providers
Sec.
162.402 Definitions.
162.404 Compliance dates of the
implementation of the standard unique
health identifier for health care
providers.
162.406 Standard unique health identifier
for health care providers.
162.408 National Provider System.
162.410 Implementation specifications:
Health care providers.
162.412 Implementation specifications:
Health plans.
162.414 Implementation specifications:
Health care clearinghouses.
Subpart D—Standard Unique Health
Identifier for Health Care Providers
§ 162.402
Definitions.
Covered health care provider means a
health care provider that meets the
definition at paragraph (3) of the
definition of ‘‘covered entity’’ at
§ 160.103 of this subchapter.
§ 162.404 Compliance dates of the
implementation of the standard unique
health identifier for health care providers.
(a) Health care providers. A covered
health care provider must comply with
the implementation specifications in
§ 162.410 no later than May 23, 2007.
(b) Health plans. A health plan must
comply with the implementation
specifications in § 162.412 no later than
one of the following dates:
(1) A health plan that is not a small
health plan—May 23, 2007.
(2) A small health plan—May 23,
2008.
(c) Health care clearinghouses. A
health care clearinghouse must comply
with the implementation specifications
in § 162.414 no later than May 23, 2007.
E:\FR\FM\23JAR2.SGM
23JAR2
�Federal Register / Vol. 69, No. 15 / Friday, January 23, 2004 / Rules and Regulations
§ 162.406 Standard unique health identifier
for health care providers.
(a) Standard. The standard unique
health identifier for health care
providers is the National Provider
Identifier (NPI). The NPI is a 10-position
numeric identifier, with a check digit in
the 10th position, and no intelligence
about the health care provider in the
number.
(b) Required and permitted uses for
the NPI.
(1) The NPI must be used as stated in
§ 162.410, § 162.412, and § 162.414.
(2) The NPI may be used for any other
lawful purpose.
§ 162.408
National Provider System.
National Provider System. The
National Provider System (NPS) shall do
the following:
(a) Assign a single, unique NPI to a
health care provider, provided that—
(1) The NPS may assign an NPI to a
subpart of a health care provider in
accordance with paragraph (g); and
(2) The Secretary has sufficient
information to permit the assignment to
be made.
(b) Collect and maintain information
about each health care provider that has
been assigned an NPI and perform tasks
necessary to update that information.
(c) If appropriate, deactivate an NPI
upon receipt of appropriate information
concerning the dissolution of the health
care provider that is an organization, the
death of the health care provider who is
an individual, or other circumstances
justifying deactivation.
(d) If appropriate, reactivate a
deactivated NPI upon receipt of
appropriate information.
(e) Not assign a deactivated NPI to any
other health care provider.
(f) Disseminate NPS information upon
approved requests.
(g) Assign an NPI to a subpart of a
health care provider on request if the
VerDate jul<14>2003
18:17 Jan 22, 2004
Jkt 203001
identifying data for the subpart are
unique.
§ 162.410 Implementation specifications:
Health care providers.
(a) A covered entity that is a covered
health care provider must:
(1) Obtain, by application if
necessary, an NPI from the National
Provider System (NPS) for itself or for
any subpart of the covered entity that
would be a covered health care provider
if it were a separate legal entity. A
covered entity may obtain an NPI for
any other subpart that qualifies for the
assignment of an NPI.
(2) Use the NPI it obtained from the
NPS to identify itself on all standard
transactions that it conducts where its
health care provider identifier is
required.
(3) Disclose its NPI, when requested,
to any entity that needs the NPI to
identify that covered health care
provider in a standard transaction.
(4) Communicate to the NPS any
changes in its required data elements in
the NPS within 30 days of the change.
(5) If it uses one or more business
associates to conduct standard
transactions on its behalf, require its
business associate(s) to use its NPI and
other NPIs appropriately as required by
the transactions that the business
associate(s) conducts on its behalf.
(6) If it has been assigned NPIs for one
or more subparts, comply with the
requirements of paragraphs (a)(2)
through (a)(5) of this section with
respect to each of those NPIs.
(b) A health care provider that is not
a covered entity may obtain, by
application if necessary, an NPI from
the NPS.
§ 162.412 Implementation specifications:
Health plans.
(a) A health plan must use the NPI of
any health care provider (or subpart(s),
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
3469
if applicable) that has been assigned an
NPI to identify that health care provider
on all standard transactions where that
health care provider’s identifier is
required.
(b) A health plan may not require a
health care provider that has been
assigned an NPI to obtain an additional
NPI.
§ 162.414 Implementation specifications:
Health care clearinghouses.
A health care clearinghouse must use
the NPI of any health care provider (or
subpart(s), if applicable) that has been
assigned an NPI to identify that health
care provider on all standard
transactions where that health care
provider’s identifier is required.
Subpart F—Standard Unique Employer
Identifier
■ 3. In § 162.610, paragraph (c) is added
to read as follows:
§ 162.610 Implementation specifications
for covered entities.
*
*
*
*
*
(c) Required and permitted uses for
the Employer Identifier.
(1) The Employer Identifier must be
used as stated in § 162.610(b).
(2) The Employer Identifier may be
used for any other lawful purpose.
Authority: Secs. 1171 through 1179 of the
Social Security Act (42 U.S.C. 1320d—1320d8), as added by sec. 262 of Pub. L. 104–191,
110 Stat. 2021–2031, and sec. 264 of Pub. L.
104–191, 110 Stat. 2033–2034 (42 U.S.C.
1320d-2 (note)).
(Catalog of Federal Domestic Assistance
Program No. 93.774, Medicare—
Supplementary Medical Insurance Program.)
Dated: October 16, 2003.
Tommy G. Thompson,
Secretary.
[FR Doc. 04–1149 Filed 1–22–04; 8:45 am]
BILLING CODE 4120–01–P
E:\FR\FM\23JAR2.SGM
23JAR2
�
| File Type | application/pdf |
| File Title | Document |
| Subject | Extracted Pages |
| Author | U.S. Government Printing Office |
| File Modified | 2006-10-03 |
| File Created | 2004-01-22 |